Drizly has a problem. Technically, two problems. And a CEO with a problem. In 2018 Drizly had a cyber incident where instead of data being extracted from their servers, an employee of Drizly posted login information for Drizly’s servers on Github, a software coding repository that stores all kinds of information about free and open-source software and software snippets. This login to the Drizly servers was used to install crypto mining software, allowing individuals to mine crypto currency without having to pay for server usage or power and cooling. Access to the servers also exposed customer data, though no data appears to have been affected.
The FTC warned Drizly and the CEO, John Cory Rellas regarding the potential exposure of customer information and Drizly and the CEO publicly claimed to have put generally accepted security steps in place to limit exposure.
In 2020 a hacker gained access to the Drizly systems through an improperly secured employee account and took 2.5 million customer records from the customer database. The information that was stolen included email and postal addresses, phone numbers, and data purchased from third parties (to enhance customer profile and targeting/marketing activities).
Through an investigation it was determined that although Drizly and John Cory Rellas made statements that adequate security protocols were put in place, any steps taken were lacking and should have been known to be lacking based on past incidents on Github.[i]
The enforcement actions the FTC is proposing against Drizly and Rellas are designed to address the problems found in the FTC’s complaint.[ii] These steps include:
- Destroy an unnecessary data – including data collected or complied not required to service the customers and clearly state that the data collection and retention policy is on the Drizly website.
- Curtail data collection in the future – Drizly should only collect and store data going forward that is required to service the customer.
- Implement an information security program – Drizly needs to implement an security program that is comprehensive, including security training of employees, data segregation, implement controls and reviews, amongst other measures.
What should be explicitly noted is that John Cory Rellas, who was responsible for data security practices as CEO, as additional requirements going forward. The FTC proposed that Rellas will be required to implement a similar information security program at any future company that he moves to if the business collects consumer data from more than 25,000 individuals.
Drizly was acquired by Uber in October 2021, but the proposed actions apply to the company as a subsidiary of Uber.
What is unusual is that the FTC has specifically named the Drizly CEO and explicitly stated that he failed to implement security best practices, delegate information security responsibilities or hire an executive to implement an information security program.
The question some have asked is, the FTC does not normally specifically call out the CEOs, so why now, why in this case?
The FTC has a rule that is scheduled to go into effect as of December 9, 2022, called the FTC Safeguard Rule which is based off of the Gramm-Leach-Bliley Act. The short explanation is that any financial institution – and financial institution is now broadly defined as any company that offers consumers financial products or services like loans, financial or investment advice or insurance – to provide information on the information sharing of customer data and methods used to safeguard their sensitive data.
The rule requires that all companies must have a detailed information security program that is written and updated and “appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue”[iii]. The top objectives include:
- Security and confidentiality of customer information
- Protect information against anticipated threats to the security and integer of the data
- Protect against unauthorized access to the data that might harm or inconvenience any customer
The FTC is saying that because data breaches and losses are occurring more frequently, C-suite officers of companies should be aware of the potential risks that their companies face.
The FTC can implement consent decrees and recommend enforcement actions but they cannot enforce penalties at this time. There is a push for changes in Congress to better protect customer data.
As small business owners, we must be aware of what are is being done to secure customer data.
Many people recall the changes that came after the collapse of Enron and Arthur Andersen, resulting the Sarbanes-Oxley Act and the confusion and turmoil in small and large businesses alike to determine who needed to implement what controls.
Small business will be required to implement some, if not all, of the FTC Safeguard Rule in the coming months as cybersecurity and data loss become larger problems.
Watch this space for more information about how these changes affect small businesses.
Security Evangelist Howard Globus has more than twenty years of experience designing, installing and supporting Windows server and workstation products in industries where security and reliability are critical. System engineering and administration experience includes customized Windows Server and Workstation installs, designed to be deployed using the latest automated technology available and managed using products found onsite at most Fortune 500 firms to ensure a wide variety of potential personnel to support the products in the future.
[i] https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf
[ii] https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Decision-and-Order.pdf
[iii] https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
