Federal Government Sanctions Executive for Data Breach

C-Suite take note: In an aggressive enforcement action, the Federal Trade Commission (FTC) has sanctioned James Cory Relas, the CEO of Uber-owned beverage delivery service Drizly, for a 2021 data breach that compromised the personal information of approximately 2.5 million customers.

The enforcement action cites several areas where Drizly failed to follow FTC guidelines for the protection of consumer data. In a sign of possible future executive sanctions, the ruling will survive Relas’ employment at Drizly; he will be subject to FTC restrictions at any company he owns or that employs him in the future.

FTC Bureau of Consumer Protection Director Samuel Levine made the Bureau’s intentions clear in its announcement, saying, “CEOs who take shortcuts on security should take note.”

How the Drizly Hack Happened

In its complaint, the FTC found that an unnamed Drizly executive uploaded the company’s software to the online repository GitHub, including unencrypted AWS credentials. A hacker who obtained Relas’ password through a previous breach was able to access Drizly’s production environment using the AWS data from GitHub, then alter the environment to download sensitive customer data without Drizly’s knowledge. Those data were then sold on the Dark Web. with Drizly learning of the breach from customers who went to the media to report identity theft.

The FTC noted several violations of consumer data protection policy, including

• Failure to have a qualified data protection specialist working for the company
• Failure to safely store credentials
• Failure to have written policies in place for the safe storage and destruction of customer information
• Failure to provide access controls for sensitive user information
• Failure to monitor for data loss
• Failure to test proprietary systems for security vulnerabilities
• Failure to train staff in phishing awareness and data security

Those following recent FTC news will recognize these elements of the revised FTC Safeguards Rule, which goes into effect on December 7, 2022.

Consequences for Drizly and Its CEO

In its enforcement action, the FTC requires Drizly as a company to do the following:

• Destroy unnecessary customer data
• Limit future data collection
• Implement an information security program, including training, controls on data access, requiring multi-factor authentication and designating a high-level employee to oversee information security

The above restrictions also apply personally to Relas and will follow him to any business that holds data on more than 25,000 individuals that he owns or where he has a C-Suite role that includes information security. It essentially bans Relas from having sole authority over customer data in his current or any future executive position.

Business Owners Should Boost Security Now

Coming on the eve of full implementation of revised FTC Safeguards rules, this enforcement action sends a clear message to business owners and executives: Make compliance a priority, or you could be personally sanctioned by the Federal Government. Murky guidelines on liability and responsibility have, for the moment, been swept away and replaced with a far more aggressive stance from the FTC.

Compliance with the Safeguards Rule is not overly complex, but it does require a “Qualified Individual” to oversee data practices, regular cyber security training and regular information protection reviews and reporting. For smaller business, particularly those defined as financial services companies by the FTC, a Virtual CISO can provide complete compliance services at an affordable rate.

Protect Now will help you exceed FTC Safeguards Rule requirements with proven training programs, compliance services and Dark Web monitoring. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.