February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
Advertisement

February 03, 2023

Subscribe to Latest Legal News and Analysis

Security Breach Results in FTC Action, With Accompanying Executive Liability

Continuing the recent trend of holding company executives personally liable for a company’s alleged violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), the Federal Trade Commission (FTC) announced a complaint and consent agreement with Drizly, LLC (“Drizly”), an alcohol delivery app, and Chief Executive Officer James Cory Rellas over the failure to implement reasonable information security practices.

As alleged in the complaint, Drizly and Rellas became aware of data security deficiencies following a 2018 security incident. Drizly failed to adequately address the security deficiencies, but publicly stated that it had appropriate security protections in place. Two years after the initial security incident, Drizly suffered a new security incident, resulting in the loss of personal information of 2.5 million consumers.

The FTC alleged in the complaint that this is both unfair and deceptive and therefore a violation of the FTC Act because Drizly (1) stated it had appropriate security practices in place to protect customer information, but did not require employees to use two-factor authentication to access software, limit employee access to customer data, “develop adequate written security policies, or train employees on those policies;” (2) stored database login information on an unsecured platform; (3) failed to monitor its network for security threats; and (4) exposed customers to hackers and identity thieves.

The failure to employ reasonable security practices was unfair according to the FTC because it “caused or is likely to cause substantial injury to consumers that is not outweighed by the countervailing benefits to consumers or competition and is not reasonable avoidable by consumers themselves.”

Rellas is personally liable, as alleged by the FTC, because he had the authority to control, or participated in, the company’s deficient data security practices as CEO, including his “fail[ure] to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly.” Notably, the proposed order imposes data security compliance obligations on Rellas, even if he leaves Drizly.

Commissioner Christine S. Wilson issued a separate statement, concurring with the decision to hold Drizly liable, but dissenting on holding Rellas individually liable for Drizly’s deficient data practices. Commissioner Wilson reasoned that “CEOs have hundreds of issues and numerous regulatory obligations to navigate. Companies, not federal regulators, are better positioned to evaluate what risks require the regular attention of a CEO.”

If the proposed order is made final by the FTC, Drizly and Rellas are required to:

  • Destroy unnecessary consumer personal information;

  • Limit the future collection of personal information; and

  • Implement a comprehensive data security program.

Further, Drizly is required to conduct biennial security assessments for the next twenty years, and Rellas is required to ensure that any future company where he is the majority owner or senior executive officer maintains a comprehensive data security program. The FTC’s requirements for the comprehensive data security program include:

  • Vulnerability testing of the network and applications every four months; and

  • Penetration testing the business’s network and applications every twelve months.

Businesses and executives should take note—data protection is an enforcement priority for regulators. For more information reach out to the authors or your relationship partner at the firm.  For more, stay tuned.  CPW is there to keep you in the loop.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 298
Advertisement
Advertisement
Advertisement

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA
Partner

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

213-689-6518
Kyle Dull Data Privacy & Cybersecurity Lawyer Squire Patton Boggs Miami Florida
Associate

A former assistant attorney general, Kyle has extensive experience investigating and litigating privacy and advertising law violations. He now draws on that experience to advise clients on their own data privacy, cybersecurity and advertising risks, and is regularly retained by corporations to defend and resolve enforcement actions.

Kyle has a solid understanding of domestic and international privacy laws and counsels digital media companies looking to protect their digital property and avoid potential legal issues by negotiating and drafting licensing, joint venture and data...

+1 305 577 2840
Advertisement
Advertisement
Advertisement