• by Steve Ellwanger , October 26, 2022

The Federal Trade Commission is proposing restrictions on what personal information online alcohol-beverage delivery platform Drizly can retain about its customers following two security breaches dating to 2018.

A proposed administrative complaint also seeks to bind Drizly LLC CEO James Cory Rellas to specific data-security requirements if he leaves Drizly for other companies because of “his role in presiding over unlawful business practices” at Drizly.

According to the FTC, Drizly and Rellas were alerted to security problems in 2018 when a Drizly employee posted the company’s cloud-computing account login information on the software development and hosting platform GitHub.

“As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account,” the FTC said on Monday.

“Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place.”

In 2020, a hacker “breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database and then stole customers’ information.”

The FTC says the data breach exposed the personal information of about 2.5 million consumers.

Among other charges, the FTC alleges that Drizly did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies or train employees on those procedures.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

Under the FTC’s proposed order, Rellas would be required to implement an information-security program at future companies if he moves to a business that collects consumer information from more than 25,000 individuals “and where he is a majority owner, CEO, or senior officer with information security responsibilities.”

While the FTC voted 4-0 in favor of the proposed administrative complaint and an accompanying consent decree, Commissioner Christine Wilson dissented on the inclusion of Rellas as an “individual defendant.”

In a statement, Wilson said the FTC is not alleging that Rellas “oversaw day-to-day operations of the company’s data security practices, had any data security expertise or was responsible for decisions about data security policies, procedures or programs.”

The FTC said it will publish details about the proposed consent agreement with Drizly and Rellas but did not indicate when. After 30 days of public comment, the commission will then decide whether to make the consent order final.

A Drizly spokesperson provided this statement to Marketing Daily: “We take consumer privacy and security very seriously at Drizly and are happy to put this 2020 event behind us.”