Tuesday
08:36:38 PM
October
25 2022

USA: FTC proposes order against Drizly and its CEO for security failures

View 301

word 580 read time 2 minutes, 54 Seconds

The Federal Trade Commission ('FTC') announced, on 24 October 2022, that it had issued a proposed order against Drizly, LLC and its CEO, James Cory Rellas, over allegations that the company's security failures had led to a data breach exposing the personal information of approximately 2.5 million consumers, and violating § 5(a) of the Federal Trade Commission Act ('the FTC Act').

Background to the case

Specifically, the FTC initiated an investigation into certain acts and practices of Drizly and Rellas.

Findings of the SEC

Following the investigation, the #FTC issued a complaint against #Drizly, highlighting that it had reason to believe that Drizly and Rellas violated the provisions of § 5(a) of the FTC Act by failing to use appropriate information security practices to protect consumers' personal information. More specifically, the FTC detailed that Drizly did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.

Furthermore, the FTC also noted that Drizly stored critical database information on an unsecured platform and neglected to monitor its network for security threats including not putting a senior executive in charge of ensuring that the company was keeping its data secure, nor monitoring its network for unauthorised attempts to access or remove personal data. To this end, the FTC concluded that these failures allowed a malicious actor to access Drizly's consumer database and steal information relating to 2.5 million consumers.

Outcome

In light of the above, the FTC noted that its proposed order includes several requirements to ensure that Drizly take steps to address the problems outlined in the FTC's complaint. As such, the FTC specified that this would require Drizly to, among other things:

  • Destroy any personal data collected that is not necessary for it to provide products or services to consumers. The data destroyed must be documented and reported to the FTC.
  • Refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule, and publicly detail on its website the information it collects and why such data collection is necessary.
  • Implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint including:
    • providing security training for its employees;
    • designating a high-level employee to oversee the information security program;
    • implementing controls on who can access personal data; and
    • requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.

Notably, the FTC clarified that the order applies personally to Rellas, noting that the FTC's proposed order will follow Rellas even if he leaves Drizly. Specifically, the FTC highlighted that Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

On the above, Commissioner Christine S. Wilson clarified that she dissented from the inclusion of Rellas in the complaint and settlement. Specifically, Wilson explained that "To seek injunctive relief with respect to a CEO or other principal, the FTC must show only that the individual 'participated directly in the deceptive practices or had authority to control those practices', and does not require the FTC to show a 'specific link from [the individual] to the particular deceptive [acts] and instead looks at whether [the individual] had authority to control the corporate entity's practices". / dataguidance


Source by Redazione


LSNN is an independent editor which relies on reader support. We disclose the reality of the facts, after careful observations of the contents rigorously taken from direct sources, we work in the direction of freedom of expression and for human rights , in an oppressed society that struggles more and more in differentiating. Collecting contributions allows us to continue giving reliable information that takes many hours of work. LSNN is in continuous development and offers its own platform, to give space to authors, who fully exploit its potential. Your help is also needed now more than ever!

In a world, where disinformation is the main strategy, adopted to be able to act sometimes to the detriment of human rights by increasingly reducing freedom of expression , You can make a difference by helping us to keep disclosure alive. This project was born in June 1999 and has become a real mission, which we carry out with dedication and always independently "this is a fact: we have never made use of funds or contributions of any kind, we have always self-financed every single operation and dissemination project ". Give your hard-earned cash to sites or channels that change flags every time the wind blows , LSNN is proof that you don't change flags you were born for! We have seen the birth of realities that die after a few months at most after two years. Those who continue in the nurturing reality of which there is no history, in some way contribute in taking more and more freedom of expression from people who, like You , have decided and want to live in a more ethical world, in which existing is not a right to be conquered, L or it is because you already exist and were born with these rights! The ability to distinguish and decide intelligently is a fact, which allows us to continue . An important fact is the time that «LSNN takes» and it is remarkable! Countless hours in source research and control, development, security, public relations, is the foundation of our basic and day-to-day tasks. We do not schedule releases and publications, everything happens spontaneously and at all hours of the day or night, in the instant in which the single author or whoever writes or curates the contents makes them public. LSNN has made this popular project pure love, in the direction of the right of expression and always on the side of human rights. Thanks, contribute now click here this is the wallet to contribute


Similar Articles / USA: FTC... failures
from: ladysilvia
by: esaint
from: ladysilvia
by: Green_Cross_Italia
15 mar 2005
Password: security