The recent Drizly case signals the Federal Trade Commission’s (FTC) efforts to punish executives whom the agency deems culpable for their organizations’ security failures. Drizly is an online alcohol marketplace that experienced a data breach affecting 2.5 million users. The FTC alleged that Drizly’s failure to implement reasonable safeguards to secure the personal information it collected and stored, coupled with statements that its security practices were “standard” and “reasonable,” represented unfair and deceptive trade practices.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO [James Rellas] faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”
The Drizly settlement represents the first time the FTC has released a settlement order that holds an executive personally liable for the purported data security failures of their employer. This is nothing new, but it has historically occurred in connection with alleged schemes to defraud consumers and well-established theories of consumer injury. In 2019, the FTC reached a settlement with Facebook over the social media company’s alleged violation of a 2012 consent order. In addition to a $5 billion dollar penalty, the settlement required a number of corporate governance changes, including specific executive obligations. The agency required the establishment of an independent privacy committee on the board and imposed a quarterly privacy certification requirement for individual Facebook executives with threatened civil and criminal penalties for any false certifications, much like Sarbanes-Oxley corporate certifications. Significantly, the 2019 Facebook settlement contained dissents from two commissioners (one of whom was also involved in deciding the Drizly case) who argued that Facebook CEO Mark Zuckerberg should have been held personally liable for the company’s alleged violations.
Under current FTC leadership, it seems increasingly probable that the agency will seek personal liability for executives over alleged security failures. These limitations and obligations would potentially follow executives even if they move on to work at other organizations, significantly limiting their employability, much like personal liability for Securities and Exchange Commission (SEC) related offenses. The FTC claimed in its complaint that Rellas, as CEO, was personally responsible for Drizly’s alleged security failures, as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices, even after he was alerted to security problems two years prior to the breach. The order requires that Rellas, even if he leaves Drizly, implement an information security program at future companies. As noted in the FTC’s press release, “In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly.” While the Drizly order binds only Rellas, future cases may implicate other executives whose duties relate more directly to data security, privacy, and oversight of these functions.
Minimizing data collection, is an emerging consideration (and enforcement risk) for any company subject to the agency’s jurisdiction – it is also directly at odds with many service, quality, and product goals of businesses. The FTC’s order requires the destruction of any personal data the company has collected that is not necessary for it to provide products or services to consumers – a standard that is problematic and may be at odds with the First Amendment. Moving forward, the company must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. The FTC’s recent proposed rulemaking on commercial surveillance and data security also seems to foreshadow the agency’s intention to take an active role in encouraging data minimization and usage by businesses. This proposal suggests that the risk of being accused of and investigated for failing to abide by data minimization principles is expanding under present agency leadership.
Data minimization and proportionality remain issues of global concern. Whether personal liability for executives will spread outside the United States remains uncertain but disaffection with corporate accountability remains high with many regulators.