Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on its hosting platform contrary to the platform’s own guidance and well-publicized security incidents involving that platform.Failed to implement basic security measures: The FTC alleged that despite statements claiming the company used appropriate security practices to protect consumer data, Drizly failed to implement reasonable safeguards, did not require employees to use two-factor authentication, did not limit employee access to personal data, did not develop adequate written security policies, and did not train employees on those procedures.Specifically, the FTC’s complaint alleges that Drizly and Rellas: ![]() Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”Īccording to the FTC’s complaint, Drizly and its CEO, James Cory Rellas (who was individually named in the complaint), became aware of information security issues at Drizly following an earlier security incident in 2018, but failed to take adequate steps to fix them, all the while publicly claiming to have appropriate security protections in place. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. ![]() In its press release announcing the settlement, the FTC stated, “ In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. ![]() There are also hints that the FTC intends to elevate information security issues to boards of directors and other top-level executives. The proposed order not only contains a laundry list of security-related obligations for Drizly that span twenty years, but also names and targets its CEO James Cory Rellas personally, hitting him with obligations that will follow him for a decade, even if he moves to other organizations. The Federal Trade Commission (“FTC”) announced on Monday that it is settling a case against Drizly and its CEO stemming from a 2020 data breach that impacted roughly 2.5 million consumers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |