Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

FTC ruling applying to executive throughout career prompts ‘astonishment’

Drizly homepage
Photo: Screenshot Drizly

Martin Cloake

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Order laid after data breach at online liquor store Drizly affects 2.5 million customers.

Security failures that led to the theft of 2.5 million consumers’ information from online liquor store Drizly have led to enforcement action by the Federal Trade Commission. But the detail of the action makes this more than just another enforcement story.

What makes this stand out is that the charges have been laid not just against the business, but against its CEO James Rellas personally. And this means he will have to abide by the terms of the consent order even if he leaves and takes another job.

Eyebrow-raising

The detail is picked up and discussed in some depth by industry expert Matt Kelly, the editor and CEO of RadicalCompliance.com, and the piece makes for a fascinating read. Detail of the security lapses is set out in the FTC complaint, detail which in itself is eyebrow-raising.

Drizly used Amazon Web Services and Github to operate. Employees were required to use their personal Github accounts to access corporate data. But Drizly did not require them to use complex passwords or multi-factor authentication.

In April 2018, the company gave one of its executives access to its Github respositories to enable participation in a one-day hackathon. He used a seven-character password he also used for a number of other accounts. In July 2020, a hacker accessed the executive’s personal Github account, was able to jump to Drizly’s corporate account and get hold of credentials to access its AWS data.

Dark web

That data contained personal information on 2.5 million customers, which was put on to the dark web. Drizly remained unaware of the breach until reports of its customers’ accounts being sold on the dark web surfaced.

Drizly, Rellas and the FTC have agreed the terms of a consent order that includes remediation measures with neither party admitting or denying any of the allegations. But, says Kelly, “What’s most interesting is that those remediation steps (and others) apply to both Drizly as a corporation and to Rellas personally — so that even if he leaves Drizly and takes another job elsewhere, Rellas will need to do the same at his new employer.”

Astonishing

The wording in the order says clearly that “the Commission’s proposed order will follow Rellas even if he leaves Drizly”. Kelly observes: “Never have I heard of a civil enforcement action like this, one that requires reforms to business operations, apply to an executive personally as he transits through his career. It’s astonishing.”

Christine Wilson, the Republican FTC commissioner, went as far as to issue a statement opposing the terms set for Rellas personally. But the FTC’s approach was summarized by chairman Lena Khan. She said: “Holding individual executives accountable, as we also do here, can further ensure that firms and the officers that run them are better incentivized to meet their legal obligations.”

, , , ,

You may also like