The Federal Trade Commission has finalized an order with online alcohol marketplace Drizly and its CEO over security failures by the company that the FTC said led to a data breach exposing the personal information of about 2.5 million consumers.
According to an FTC complaint first announced in October 2022, Drizly and its CEO James Cory Rellas were alerted to security vulnerabilities two years prior to the 2020 breach yet failed to take steps to protect consumers’ data from hackers despite publicly claiming to have appropriate security protections in place. The FTC said Drizly failed to implement basic security measures, stored critical database information on an unsecured platform, and neglected to monitor security threats.
The FTC’s order, among other things, requires Drizly to destroy any personal data it collected that is not necessary for it to provide products or services to consumers and must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also publicly detail on its website the information it collects and why such data collection is necessary. In addition, Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the types of security incidents outlined in the complaint.
In addition to the requirements imposed on Drizly, Rellas must implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.
After receiving no substantive comments, the Commission voted 4-0 to finalize the complaint and order against Drizly.
