Drizly FTC Breach Case May Put CISOs on the Hook for Civil Liability

In 2019, Boston-based online booze company Drizly had a data breach that exposed the personal data of about 1.2 million customers. The breach occurred (as so many do) when hackers were able to obtain credentials like usernames, passwords, API keys, secure access tokens and asymmetric private keys for the company’s AWS servers from GitHub repositories. In April 2018, Drizly granted a company executive access to its GitHub repositories so that he could participate in a one-day hackathon, but never shut down the access after the event. Once hackers guessed the executive’s password (it was used on other sites, duh) they had access to the full GitHub directory. This, in turn, gave the hackers access to credentials that gave them access to the AWS directory which gave them the ability to download Drizly’s User Table—with personal data amounting to more than 2.5 million records. In 2021, Drizly was acquired by Uber for $1.1 billion. The FTC opened an investigation of the Drizly data breach, found that the company had failed to maintain an adequate information security program (with an adequate incident response program) and required the company to take remedial measures.

All pretty standard data breach stuff.

But the settlement agreement with the FTC had an unusual wrinkle—one which should cause panic within the information security community.

The FTC’s lawsuit named not only Drizly, but also James Rellas, the CEO of Drizly, for his actions and failures to act as an agent of Drizly. As such, the consent decree not only binds the online bubbly company but also the CEO personally—no matter where he goes. If Rellas is hired by another company—in any capacity—Rellas has to ensure that the new company (or technically himself, at the new company) has an effective information security program in compliance with the FTC enforcement actions.

The FTC explicitly stated that “The Federal Trade Commission is taking action against the online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. The FTC’s proposed order requires the company to destroy unnecessary data, restricts the data that the company can collect and retain, and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.”

But the FTC went further, noting:

“… the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”

While the FTC action here was aimed at the company’s CEO, there is no reason that the commission couldn’t use the same authority to go after CISOs of companies that either suffer data breaches, security incidents or simply do not fully follow their own information security guidelines. Effectively, the Commission could brand a CISO with a “scarlet letter” blacklisting them in the chosen profession. While no company expects to have inadequate security or suffer a data breach, a company would be foolhardy to hire a CISO not only who has had a data breach in the past (that part is not uncommon) but who is subject to the FTC’s jurisdiction. A subsequent data breach would subject the CISO to FTC sanctions, and might also subject the new company that hired the CISO to sanctions. Risk-averse companies would likely balk.

In addition, such a settlement may place the CISO and his/her employer in an adverse position. The company, eager to get the FTC case over with, might be willing to settle the case, but the FTC may demand the CISO’s head. If the CISO refuses to sign the settlement, they would likely be terminated (if they hadn’t been before). The only way the company gets what it wants is by sacrificing its CISO. This gives a company incentive to “blame the CISO” for any security deficiency. Will this make CISOs more aggressive and independent? Hard to say.

There is a sense that someone within a company should be personally responsible when the company fails to adequately protect data. In the Drizly case, this was the CEO. I expect it will be a very short time until it is the CISO—or the former CISO.

Such FTC consent decrees are not uncommon in the wake of a data breach. What makes this one unique is the fact that the consent decree is not only against the Boston-based beverage company but also against an individual—the CEO. Thus, the requirements in the consent decree regarding notification to the FTC, compliance with standards, reporting, auditing, etc., apply not just to the company but to the CEO as an individual. As a result, if the CEO leaves Drizly, he will be personally liable for security failures that breach the consent decree at his new employer. The FTC noted:

“While this enforcement action applies to the CEO of a company, the same measures could be taken by the FTC or regulators against a company’s CISO if they believe that the CISO personally failed to prevent, or failed to reasonably respond to a data breach, or failed to prevent a significant security incident.”

Such a CISO would be “branded” as having to forever comply with FTC information security protocols, under threat of civil fraud investigation—essentially making the CISO a pariah in the industry. While this is not the first time the FTC has attempted to enforce a security or privacy duty on a CEO (the FTC named Facebook—now Meta—CEO Mark Zuckerberg as a civil defendant) they ultimately backed down. Moreover, the FTC specifically named the officer personally so that they would be forced to carry with them the duty to protect data wherever they went—sort of a personal order of probation. Since CISOs often have the responsibility for ensuring data privacy and security, this marks an effort by the FTC to hold corporate agents personally responsible for actions taken on behalf of the corporation.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark