The Federal Trade Commission released a proposed order against online alcohol delivery company Drizly and its CEO, James Cory Rellas, for failing to implement basic security measures, which resulted in a data breach that exposed the data of 2.5 million consumers in 2020. The FTC alleges that the breach occurred because Drizly stored company credentials on GitHub, a code-sharing platform, without implementing two-factor authentication (despite the platform’s own guidance), it did not limit employee access to personal data, and it did not develop adequate written security policies. Significantly, the FTC noted that this was not the first time hackers had breached Drizly’s network because of an employee’s action on GitHub during Rellas’s tenure. In 2018, hackers commandeered Drizly’s servers to mine cryptocurrency after a Drizly employee posted account login information to GitHub.

The enforcement action will require Rellas to implement an information security program not only at Drizly but at any business where he becomes the majority owner, CEO, or other senior officer with information security responsibilities and where the business is responsible for the personal information of at least 25,000 individual consumers. After only a handful of enforcement actions against CEOs personally, this proposed order sends a clear signal that the FTC will pursue aggressive action against complacent CEOs who unreasonably expose their customers to hackers and identity thieves.

Our experienced Privacy & Cybersecurity team at Michael Best is available to help establish robust and compliant information security programs for companies of any size. Please reach out to a member of our team to discuss how to best implement or improve your current information security program.