On October 24, 2022, the Federal Trade Commission (“FTC”) announced a proposed consent order against both Drizly LLC, an online marketplace for alcohol delivery, and its CEO over the company’s alleged security failures that led to a data breach in 2020, which exposed the personal information of approximately 2.5 million Drizly customers. Drizly and its CEO were allegedly made aware of potential security deficiencies two years prior to the incident and did not take corrective action. The proposed order, in which the FTC alleges that Drizly had unfair information security practices and made deceptive security statements, is significant in that it not only highlights the need for data minimization, but also personally names and imposes requirements on the company’s CEO to implement an information security program, even if he transitions to a different company. Our recent client advisory discusses the proposed order in detail.
In July 2020, a malicious actor was able to access Drizly’s systems as a result of obtaining access to an executive’s GitHub account, which contained repositories of the company’s source code as well as other company credentials. With the other credentials in the GitHub account, the malicious actor was then able to gain access to Drizly’s systems and the information of 2.5 million consumers was compromised. According to the complaint, Drizly and its CEO were made aware of data security issues at the company after a similar 2018 incident where a malicious actor was able to exploit Drizly credentials that were posted to a public GitHub repository. Further, the FTC notes, Drizly conducted its own post-breach analysis and through that process acknowledged its security shortcomings. The FTC specifically alleges that the: (1) company failed to implement basic security measures, such as requiring complex and unique passwords or multifactor authentication to access source code or databases, enforcing role-based access controls, monitoring and terminating employee access to source code once their need expires, restricting inbound connections to known IP addresses, and requiring appropriate authentications between Drizly applications and the production environment; (2) stored login credentials on an unsecured platform contrary to the platform’s own guidance and well-publicized security incidents involving GitHub; (3) neglected to monitor its network for unauthorized attempts to access or remove personal data; and (4) exposed customer data to malicious actors. Despite the company’s security shortcomings, the FTC’s proposed order focuses on the company’s treatment of data, likely as a preventative measure.
Key takeaways from the proposed consent order:
- Multifactor Authentication: The FTC has consistently required that companies adopt multifactor authentication methods. The proposed order requires Drizly to impose multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets storing “covered information,” which the FTC defines as information from or about an individual consumer, including for example name, address, email address or other online contact information such as screen name, certain geolocation information, and user account credentials whether in plain text, encrypted, hashed, and/or salted. Acceptable multi-factor authentication methods must be resistant to phishing attacks and shall not include telephone or SMS-based authentication methods. Accordingly, the FTC is placing companies on notice that SMS-based authentication may not be considered an appropriate or secure method of multi-factor authentication.
- Data Minimization Principles: The proposed order details Drizly’s lack of proper data hygiene, and as a result, imposes several requirements on Drizly to reduce its data footprint. Notably, the company is required to publish a retention schedule, which includes the purposes for which the “covered information” (defined above) is collected, the business needs for retaining each type of information, and a set time for deletion of each type of information. In addition, the company must refrain from collecting or storing covered information that is not necessary for the purposes outlined in the data retention schedule. Drizly is further required to document and destroy all unnecessary covered information it has collected from consumers, and then report to the Commission what data was destroyed.
- Liability for Exposure of Consumer Demographic Information: The FTC’s primary allegation of unfair trade practices requires a finding of injury to consumers. Here, while not entirely clear, it appears that the data impacted by the security breach involved information stored in Drizly’s databases, such as consumer name, email address, postal address, phone number, unique device identifier, order history, partial payment information, and geolocation information. Importantly, the exposure of this type of data does not trigger consumer reporting obligations under most state laws. However, the FTC alleges injury is likely because this information was exfiltrated from Drizly’s databases and offered for sale on two dark web forums. In addition, the FTC found that “malicious actors combine such information to perpetrate fraud (for example, by opening fraudulent lines of credit) or obtain additional personal information by impersonating companies with whom the target has previously transacted.” In light of this lower threshold, companies should review their data protection practices and consider appropriate controls for demographic information.
- Executive Accountability: In personally naming the company’s CEO, the FTC’s primary allegation was that the CEO, individually or in concert with others, had the authority to control, or participated in, the acts and practices alleged in this complaint and is thus individually responsible for those alleged acts and practices. The FTC notes that the CEO hired senior executives dedicated to finance, legal, and marketing, among other areas, but failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly. The proposed order specifically requires the CEO to implement and maintain an information security program at future companies for the next 10 years if he accepts an executive or majority ownership position at a company that collects consumer information from more than 25,000 individuals
Businesses and executives should take note that the FTC is undertaking aggressive efforts to protect consumer data and to hold those at the top responsible. The Commission voted 4-0 on issuing the proposed administrative complaint and accepting the consent agreement with Drizly and its CEO.
The proposed order is subject to a 30-day public comment period after which the FTC will decide whether to make the proposed consent order final.