Read time: 4 minutes
The recent Drizly case signals the Federal Trade Commission’s (FTC) efforts to punish executives whom the agency deems culpable for their organizations’ security failures. Drizly is an online alcohol marketplace that experienced a data breach affecting 2.5 million users. The FTC alleged that Drizly’s failure to implement reasonable safeguards to secure the personal information it collected and stored, coupled with statements that its security practices were “standard” and “reasonable,” represented unfair and deceptive trade practices.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO [James Rellas] faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”
The Drizly settlement represents the first time the FTC has released a settlement order that holds an executive personally liable for the purported data security failures of their employer. This is nothing new, but it has historically occurred in connection with alleged schemes to defraud consumers and well-established theories of consumer injury. In 2019, the FTC reached a settlement with Facebook over the social media company’s alleged violation of a 2012 consent order. In addition to a $5 billion dollar penalty, the settlement required a number of corporate governance changes, including specific executive obligations. The agency required the establishment of an independent privacy committee on the board and imposed a quarterly privacy certification requirement for individual Facebook executives with threatened civil and criminal penalties for any false certifications, much like Sarbanes-Oxley corporate certifications. Significantly, the 2019 Facebook settlement contained dissents from two commissioners (one of whom was also involved in deciding the Drizly case) who argued that Facebook CEO Mark Zuckerberg should have been held personally liable for the company’s alleged violations.
- The FTC seems increasingly keen on holding executives personally accountable for organizational security failures.
- FTC corrective measures may have lasting effects on executives, significantly limiting their employability.
- Minimizing data collection is an emerging consideration for FTC-regulated companies.