The Drizly application on a smartphone.
Tiffany Hagler-Geard | Bloomberg | Getty Images
In a new proposed settlement, the Federal Trade Commission is seeking to hold a tech CEO accountable to specific security standards, even if he moves to a new company.
The agency announced Monday that its four commissioners had voted unanimously to issue a proposed order against alcohol delivery platform Drizly and its CEO James Cory Rellas for allegedly failing to implement adequate security measures, which eventually resulted in a data 2020 breach exposing personal information on about 2.5 million consumers.
The FTC claims that despite being alerted to the security concerns two years before the breach, Drizly and Rellas did not do enough to protect their users’ information.
While settlements like this are not that uncommon for the FTC, its decision to name the CEO and have the stipulations follow him beyond his tenure at Drizly exemplifies an approach favored by Democratic Chair Lina Khan. Some progressive enforcers have argued that naming tech executives in their lawsuits should create a stronger deterrence signal for other potential violators.
The proposed order, which is subject to a 30 day public comment period before the commission votes on whether to make it final, would require Rellas to implement an information security program at future companies where he’s the CEO, a majority owner or a senior officer with information security responsibilities, provided the company collects consumer information from more than 25,000 people.
Though Republican Commissioner Christine Wilson voted with the agency’s three Democrats to impose the proposed settlement against Drizly, she objected to naming Rellas as an individual defendant. In a statement, Wilson wrote that naming Rellas will not result in putting “the market on notice that the FTC will use its resources to target lax data security practices.”
“Instead, it has signaled that the agency will substitute its own judgement about corporate priorities and governance decisions for those of companies,” she wrote, adding that given CEOs’ broad overviews of their businesses, it’s best left to companies rather than regulators to determine what the chief executive should pay regular attention to.
In a joint statement, Khan and Democratic Commissioner Alvaro Bedoya responded to Wilson’s argument, writing that “Overseeing a big company is not an excuse to subordinate legal duties in favor of other priorities. The FTC has a role to play in making sure a company’s legal obligations are weighed in the boardroom.”
Khan’s FTC has named other executives in past complaints, like when it named Meta CEO Mark Zuckerberg as a defendant in a lawsuit seeking to block the company’s proposed acquisition of virtual reality company Within Unlimited. But it later dropped him from the complaint after the company said Zuckerberg would not try to personally buy Within.
The order against Drizly would also require the company to destroy personal data it has collected but no longer needs, limit future data collection and establish a comprehensive security program including training for employees and controls on who can access data.
“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson said in a statement.