FTC’s Drizly Action Delivers Data-Security Message

Thom Weidlich 10.27.22


The U.S. Federal Trade Commission’s action this week against Drizly over its 2020 data breach is garnering some notice because of its focus on the CEO of the Boston-based and Uber-owned booze deliverer. That’s important in terms of crisis awareness. But so are other aspects of the matter.

On Mon., Oct. 24, the FTC said it reached an agreement with Drizly and CEO Cory Rellas, who, despite warnings from another data intrusion in 2018, didn’t take measures to prevent the more-recent breach that involved the personal data of about 2.5 million customers.

The proposed settlement comes up for finalization after a 30-day comment period. Most press reports are spotlighting that the FTC would require Rellas to implement security measures even if, under certain conditions, he moves to a different company. That’s unusual though apparently not unprecedented.

“Rellas is responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable information-security practices,” according to the FTC’s complaint.

Crisis Prevention

As far as corporate governance and crisis prevention go, the agency notes that, while Rellas hired people for many corporate functions, data security wasn’t one of them.

“In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record,” the FTC said in the release. “Recognizing that reality, the commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information-security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO or senior officer with information-security responsibilities.”

Is this a warning for the future? It appears so. “CEOs who take shortcuts on security should take note,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in the press release.

Privacy Policy

As for Drizly, which Uber bought in 2021 (after the data breaches) for $1.1 billion, the FTC accused it of saying in its privacy policy that it had adequate security protections when it didn’t. Under the proposed order, the company would be required to destroy all data not needed to conduct its business and to restrict what data it collects and retains.

All of this should be a caution to any organization about the importance of data protection. What’s particularly brutal is the accusation that, despite the warnings, Drizly didn’t do anything to address its security lapses and instead papered over them with dubious assurances.

We haven’t seen much in the way of comment from the company about the proposed settlement. “We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” CNBC quoted a Drizly spokesperson from a statement.

Image Credit: Drizly

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe. 

Related:Marriott Responds to Breach Crisis With Fairly Good OutreachReport on Equifax Breach Charts Communications Flaws