On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed Order requiring Drizly, LLC, and its CEO to make significant cybersecurity improvements after a 2020 data breach allegedly exposed the personal information of about 2.5 million consumers. In the Matter of Drizly, LLC and James Cory Rellas, FTC Case No. 2023185, Decision and Order. The Order, once final, will require Drizly – an online alcohol marketplace – to make and sustain major security upgrades, limit future data collection and destroy unnecessary data, designate a high-level employee to oversee the information security program, and more.
But even more interesting is the fact that the proposed Order requires Drizly’s CEO to personally ensure that strong and comprehensive information security protocols are established and maintained for a 10-year period at any company where he has majority ownership or senior corporate officer responsibility over information security (if the company collects a large volume of consumer information), even if he leaves employment at Drizly.
Imagine being in the shoes of that CEO. If he seeks new employment within the next decade, he must find a company that is immediately willing to be on the FTC’s radar.
There can be no doubt that the FTC is increasingly applying deliberate enforcement actions, focused on cybersecurity and data privacy compliance at companies across every industry. As stated in its press release, “This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.” FTC 10/24/2022 Press Release (emphasis added). In this case, the FTC highlights the fact that Drizly and its CEO were alerted to problems with the company’s data security protocols during a security incident two years earlier, and that they publicly claimed to have put appropriate security protections in place while not actually following through. Add to these facts a new breach, and the FTC understandably ran out of patience.
The FTC’s aggressive approach is part of a general trend requiring increased corporate accountability for insufficient cybersecurity protocols. For example, on September 2, 2022, the Third Circuit Court of Appeals held that a former employee of ExecuPharm has standing to bring a class action lawsuit against the company on behalf of its employees, arising from a corporate data breach (and theft of employee information) by a third party. Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022). If successful, this class action could be extremely costly to ExecuPharm, even though ExecuPharm was itself a victim of the cyber-breach.
To those of you wondering why the government has focused on penalizing companies that were themselves victimized by hackers, consider the following analogy. Imagine that you own a theater and regularly invite customers to check their possessions in the coatroom. Further imagine that it is widely known that sophisticated, “Mission Impossible”-level thieves have been entering coatrooms covertly to steal wallets, bags, and theater supplies. If you staff your coatroom with one distracted or overburdened employee, you are basically inviting property losses at the hands of those sophisticated coatroom swindlers. Now imagine that those wallets and bags are full of your customers’ most valuable and exploitable personal information; surely stronger security is demanded by this circumstance, to protect not only the theater’s possessions but those of the customers who were invited to trust the theater’s security. The FTC and others are signaling that companies should view their data systems – and the scores of sophisticated cybercriminals known to be looking to breach them – in exactly this light.
Therefore, I recommend that corporate executives overhaul their information security cost-benefit analysis to include the very real risk of personal and corporate penalties should a breach occur. Add to the mix the reputational damage that comes with a cyber-intrusion, and the scales weigh heavily in favor of stronger and more comprehensive information security protocols.
How strong is strong enough? That will depend on many different factors, including each company’s individual risk picture and prior history as well as best practices in the field and beyond. In addition, the Drizly proposed Order lays out certain information security protocols that every company should now be looking to adopt.
Strong cybersecurity is not only better for public image and business stability, but it is better for executives’ wallets as well. Invest in strong cybersecurity, a robust compliance program and outside counsel subject matter expertise now, or risk higher penalties later.