The Drizly application on smartphones.
Tiffany Hagler Gear | Bloomberg | Getty Images
in a new proposed settlementthe Federal Trade Commission is seeking to require a tech CEO to meet specific security standards, even if they move to a new company.
The agency announced on Monday that its four commissioners voted unanimously to issue a proposed order against alcohol delivery platform Drizly and its CEO James Cory Rellas for allegedly failing to implement measures. adequate security measures, which ultimately resulted in a 2020 data breach exposing personal information of approximately 2.5 million consumers.
Uber acquired Drizly for $1.1 billion in 2021.
The FTC says that despite being alerted to the security issues two years before the breach, Drizly and Rellas did not do enough to protect their users’ information.
While settlements like this aren’t all that uncommon for the FTC, its decision to appoint the CEO and have the stipulations follow him beyond his tenure at Drizly illustrates an approach favored by Democratic Chairwoman Lina. Khan. Some progressive enforcement officials have argued that naming tech leaders in their lawsuits should create a stronger deterrent signal to other potential violators.
The proposed order, which is subject to a 30-day public comment period before the commission votes to make it final, would require Rellas to implement an information security program at future businesses he oversees. CEO, a majority shareholder, or a senior executive with information security responsibilities, provided the company collects consumer information from more than 25,000 people.
Although Republican Commissioner Christine Wilson voted with all three agency Democrats to impose the proposed settlement against Drizly, she opposed naming Rellas as an individual defendant. In a statement, Wilson wrote that naming Rellas will not “warn the market that the FTC will use its resources to target lax data security practices.”
“Instead, it signaled that the agency will substitute its own judgment on corporate priorities and governance decisions for those of the companies,” she wrote, adding that given the broad view overview of CEOs about their activities, it is best left to companies rather than regulators to determine what the CEO should pay regular attention to.
In a joint statement, Khan and Democratic Commissioner Alvaro Bedoya responded to Wilson’s argument by writing that “big business oversight is no excuse for subordinating legal obligations in favor of other priorities. FTC has a role to play in ensuring that a company’s legal obligations are weighed in the boardroom.”
Khan’s FTC has named other executives in past complaints, such as when it named Meta CEO Mark Zuckerberg as a defendant in a lawsuit to block the company’s proposed acquisition of virtual reality company Within Unlimited. But he later removed him from the complaint after the company said Zuckerberg would not personally try to buy Within.
The order against Drizly would also require the company to destroy personal data it has collected but no longer needs, limit future data collection, and establish a comprehensive security program including training for employees. and controls over who can access the data.
“We take consumer privacy and security very seriously at Drizly, and are pleased to put this 2020 event behind us,” a Drizly spokesperson said in a statement.