Overview of Drizly Data Breach
Drizly is a Boston-based business that operates an online platform selling alcohol directly to consumers. In October 2022, the U.S. Federal Trade Commission (FTC) took action against Drizly and its CEO for security failures that led to the personal data of 2.5 million consumers being obtained by a hacker and offered for sale on the dark web. The FTC alleged that Drizly failed to use reasonable information security practices to protect its consumers’ personal data. These failures included, among other things, not having adequate written standards, policies, procedures, or training in place (including a data retention policy), not securely storing login credentials, having weak access controls, and not monitoring, auditing or testing their information security systems.
FTC Findings on Drizly’s Violation of Section 5(a) of the FTC Act
Section 5(a) of the Federal Trade Commission Act prohibits “unfair or deceptive [emphasis added] acts or practices in or affecting commerce”. The FTC found that Drizly fell foul of Section 5(a) because:
- Drizly failed to employ reasonable security measures to protect consumers’ personal data, which caused or is likely to cause substantial injury to consumers, and its practices were therefore unfair; and
- Drizly’s various privacy policies published at different times stated that Drizly used “standard, industry-wide, commercially reasonable security practices”, in particular, encryption and firewalls, as well as “appropriate safeguards to protect consumers’ personal information”. The FTC found these statements in the privacy policies to be false or misleading, and therefore deceptive, because Drizly factually failed to maintain reasonable safeguards, resulting in the data breach.
Steps Ordered by the FTC for Drizly’s Compliance
As a result, the FTC ordered Drizly to do the following and continue to do so for the next 20 years:
- Delete all unnecessary personal data, report this to the FTC, and limit the personal data it collects in future;
- Publish a publicly available data retention policy on Drizly’s website and apps;
- Implement an information security program (which must include measures such as designating a qualified employee responsible for the program, documenting data breaches, implementing safeguards such as a written security policy, training for employees, strong password requirements and multi-factor authentication for both employees and consumers);
- Conduct regular testing of the safeguards;
- Procure biennial assessments by qualified, objective, independent third party professionals; and
- Annually certify to the FTC that it is complying with the order.
Implications of FTC Enforcement Action for Businesses
The FTC’s order against Drizly provides valuable insight into what it will require from businesses that store the personal data of its customers. The FTC does not, in this case, require anything more than what is market standard: implementing a comprehensive information security program, adopting information security policies, procedures and practices (including a data retention schedule), training employees, appointing a senior person to oversee the information security program and practices of the business, and adhering to the industry standards for passwords and access control (such as requiring employees and users to use unique and complex passwords and multi-factor authentication).
Implementing these measures is not an overly complex exercise, but does require knowledge of the constantly evolving market standard practices and applicable security and privacy laws, which is not always available in-house. More than this, it is important for your business to be transparent in its public and client-facing statements: it is not enough for a privacy notice to say that a business maintains reasonable security measures. The privacy notice must be substantively accurate as well. VeraSafe can support your efforts and help your business implement an all-inclusive information security and data protection plan, including a risk assessment, required policies, and an external data protection officer.
Personal Responsibility of Senior Executives for Information Security Practices
Importantly, the FTC held Drizly’s CEO personally responsible for the security failures. It required that the CEO implement a comprehensive information security program in any business where he is a majority owner or CEO. This requirement will follow the CEO to successive roles for the next 10 years. The order against the CEO was in his capacity as the senior person overseeing the information security practices of the business rather than being a blanket-application to CEOs. The responsibility of ensuring that a business has reasonable information security measures in place, then, arguably extends to the senior person overseeing the information security practices of a business, such as a data protection officer, chief privacy officer, or chief information security officer.
The extent of the FTC’s enforcement action understandably causes some alarm for businesses that collect and store the personal data of consumers. If you are not sure how to implement the FTC’s requirements in an effective and efficient way, VeraSafe’s team of privacy and IT professionals can provide you with detailed and practical compliance support that will ensure you, and your business, do not face similar challenges.
You may also like:
Lessons from FTC Enforcement on Security Language in Privacy Notices
Education Tech Company Draws Ire (and Legal Action) from the FTC
Health Data Processing: A Wake-Up Call for Non-Compliant Businesses