The Federal Trade Commission plans to take the rare step of bringing individual sanctions against the CEO of alcohol delivery company Drizly for data privacy abuses, following allegations that the company’s security failures under his watch exposed the personal information of about 2.5 million customers.
The proposed order will follow Drizly CEO James Cory Rellas to future businesses, requiring him to implement a security program at any companies he runs that collect information from more than 25,000 people. The order will also apply to the company itself, which is now a subsidiary of the ride-hailing service Uber. Under the terms of the FTC action, Rellas and Drizly will have to destroy unnecessary data, implement new data controls and train employees about cybersecurity.
In singling out Rellas, the FTC signaled it could use a wider range of tools to address data privacy abuses under the leadership of chair Lina Khan, who was widely expected to bring tougher oversight of the tech industry. The inclusion of Rellas follows a push from Democrats to more aggressively penalize individual executives involved in major data privacy breaches. Democrats on the commission previously criticized the agency’s record-setting settlement with Facebook over the Cambridge Analytica data scandal because it did not name Facebook chief executive Mark Zuckerberg.
“Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary,” Khan and Commissioner Alvaro M. Bedoya said in a joint statement. “It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”
The agency voted 4-0 to support the order, but the commission’s lone Republican commissioner, Christine Wilson, dissented to the decision to name Rellas. She warned the move sends a sign that the agency “will substitute its own judgement about corporate priorities and governance decisions for those of companies.”
Khan, who came in with high expectations to bring a regulatory reckoning to Silicon Valley, is under increasing pressure to follow through on promises to reinvigorate the agency’s data security enforcement now that she once again has a Democratic majority. But she has limited tools at her disposal in the absence of a federal privacy law that would allow the FTC to bring fines for first-time offenses. The order against Drizly and Rellas carries no fines, but the company and executive could face financial penalties if they fail to comply with the proposed data security requirements.
The FTC has sought to use such data privacy orders like the one proposed against Drizly and Rellas to hold companies accountable when they allegedly abuse or misuse consumer data. These orders are very limited, and repeated data breaches at companies under order have raised questions about their efficacy and whether companies take them seriously. Current and former FTC officials have told The Washington Post that the agency lacks the personnel and technical expertise to effectively monitor and enforce the orders.
The agency has sought to make its orders more prescriptive to ensure that companies are adopting stronger data protections. Drizly employees will be required to use multifactor authentication to access critical databases, and implement new controls over personal data access.
The action follows allegations that Drizly failed to implement basic security measures to protect its customers’ personal information. The company also allegedly stored important login credentials on the software development service GitHub, even though the FTC previously brought action against Uber for similar actions. The agency also alleged that Drizly didn’t have a senior executive in charge of securing data.
There are only a handful of examples of the FTC pursuing such individual liability in past cases involving online data. In 2019, the agency reached a settlement with the operator of an online rewards website, ClixSense, that will follow him to future companies. That same year, the agency also named executives in an order it brought against a dressup games website, which allegedly violated a law that protects children under the age of 13 online.
The FTC has more frequently pursued orders against individual executives in cases over fraud or misleading advertising, according to an FTC official, who spoke on the condition of anonymity to speak candidly about the case. Last year, the FTC reached a settlement that named the former CEO of MoviePass over allegations that the company deceptively marketed its movie theater subscription service.
The FTC will take public comments on the consent order for 30 days, after which it will decide whether to finalize the order.