FTC seeks to hold CEO Drizly accountable for alleged security flaws
Drizly app on smartphone.
Tiffany Hagler-Geard | Bloomberg | beautiful pictures
In a new proposed solutionThe Federal Trade Commission is looking to hold a tech CEO accountable for specific privacy standards, even if he moves to a new company.
The agency announced Monday that its four commissioners voted unanimously to issue a proposed order against alcohol distribution platform Drizly and its CEO James Cory Rellas for allegedly failing to implement adequate security measures, resulting in a 2020 data breach that exposed personal information over about 2.5. million consumers.
Uber acquire Drizly for $1.1 billion in 2021.
The FTC stated that despite being alerted to security concerns two years before the breach occurred, Drizly and Rellas did not do enough to protect their user information.
While settlements like these are not uncommon for the FTC, the decision to name the CEO and have regulations follow him after his tenure at Drizly is a prime example of the approach taken by the Chairman. Democrat Lina Khan preferred. Some radical enforcers have argued that naming tech executives in their lawsuits should create a stronger deterrent signal to other potential violators.
The proposed order, which has a 30-day public comment period before the committee votes on whether to make a final decision, would require Rellas to implement an information security program. at future companies where he is the CEO, majority owner or a senior official. responsibility for information security, as long as the company collects consumer information from more than 25,000 people.
Although Republican Commissioner Christine Wilson voted with three of the agency’s Democrats to impose a settlement proposal against Drizly, she opposed the designation of Rellas as an individual defendant. In a statement, Wilson wrote that naming Rellas would not lead to “market attention that the FTC would use its resources to target lax data security practices.”
“Instead, it signaled that the agency would replace its own judgment on corporate priorities and corporate governance decisions,” she wrote, adding that with the overview widely by CEOs about their businesses, it is best for companies rather than regulators to determine what executives need to be concerned about on a regular basis.
In a joint statement, Khan and Democratic Commissioner Alvaro Bedoya hit back at Wilson’s argument, writing that “Supervising a large corporation is not an excuse to perform subordinate legal obligations in favor of the company.” other priorities. The FTC has a role to play in ensuring the company’s legitimacy is considered in the boardroom.”
Khan’s FTC has named other executives in previous complaints, like it did when it named Meta CEO Mark Zuckerberg as a defendant in a lawsuit seeks to block the company’s proposed acquisition of virtual reality company Within Unlimited. But it then dropped him from the complaint after the company said Zuckerberg wouldn’t try to buy Within.
The order against Drizly would also require the company to destroy personal data it has collected but no longer need, limit future data collection, and establish a comprehensive security program that includes mining. Create for employees and control who can access data.
A Drizly spokesperson said: “We take consumer privacy and security very seriously at Drizly and are delighted to host this 2020 event.