The FTC’s enforcement action named CEO James Cory Rellas personally, as well as the company. Notably, the action applies to Rellas even if he leaves Drizly, where a breach allegedly exposed the data of 2.5 million customers. The FTC said that under the proposed consent order, “Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO or senior officer with information security responsibilities.”
As Law360 reports, industry lawyers say that FTC Chair Lina Khan and Democratic Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter probably will keep leveraging their majority to tighten the screws on executives they see as shirking their cybersecurity obligations. Sean Griffin of law firmt Dykema Gossett told the news service, “If CEOs aren’t paying attention to data security, the FTC and other agencies will be more than happy to make them pay attention.”
As Security Boulevard notes, if the FTC can take aim at a CEO, then it could theoretically target chief information security officers who suffer data breaches, as well. There’s concern that regulators could effectively “blacklist” certain CISOs from their profession, given that companies would be unlikely to hire CISOs who are subject to FTC sanction for their past breaches. Another worry is that companies anxious to reach a settlement with regulators might feel pressure to throw their CISOs under the bus.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement. “CEOs who take shortcuts on security should take note.”
The breach occurred, according to the FTC, after Drizly gave an executive access to the company’s Github repositories so he could participate in a one-day hackathon. Drizly didn’t shut down the executive’s access after the event, and hackers guessed the executive’s password, which was used on other sites. The breach allegedly gave hackers access to 2.5 million personal records. Boston-based Drizly was acquired by Uber in 2021 for $1.1 billion.
The settlement won’t be final until after a 30-day public review period.