Image shows hand holding phone. Screen says "account hacked".

Drizly FTC Verdict Could Set New Precedent for CEOs

Categories: Thought Leadership

In 2020, Drizly, an alcohol delivery service that is now a subsidiary of Uber, announced a data breach that affected the personal information of up to 2.5 million customer accounts. Leaked data included phone numbers, IP addresses, and geolocation data for the accounts' billing addresses. 

In response, the FTC released a decision and order mandating sanctions against both Drizly  and the company’s CEO, James Cory Rellas. Rellas and the company must follow the sanctions for the term of the order—20 years. If Rellas moves to another company, where he is responsible for data for more than 25,000 people, the sanction terms follow him to that company. 

The FTC decision to not only hold a company leader personally responsible for securing company data, but to ensure that decision follows them for the rest of their career, is groundbreaking. Security breaches could now have career-long implications for CEOs. 

Requirements of the order 

The FTC order details specific requirements both the company and Rellas must follow. They are required to: 

  • Create written documentation about the content, implementation, and maintenance of the Information Security Program.
  • Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program.
  • Conduct employee cybersecurity training.
  • Destroy unnecessary data.
  • Design, implement, maintain, and document safeguards.
  • Test and monitor the effectiveness of the safeguards in place at least once every 12 months.

The specifics of the order demonstrate that the FTC values high-level security. As part of the requirement for creating safeguards, the order specifically mentions, multiple times, how Drizly and Rellas must use stronger authentication to protect data in the future.  

The order requires Drizly and Rellas to use phishing-resistant MFA for all employees, contractors, and affiliates seeking access to any assets, including databases storing covered information. The order specifies excluding telephone or SMS-based authentication methods. Drizly and Rellas are also required to offer MFA for consumers and not use data collected during the authentication process. 

Not surprisingly, the FTC's order mirrors the phishing-resistant MFA requirement in the government mandate released to all government agencies earlier this year. Both the FTC order and the US government mandate illustrate the importance regulatory agencies are placing on phishing-resistant MFA.

Precedent for personal culpability 

Experts are pointing to the Drizly order as a precedent for future sanctions where leaders are held personally responsible for their organization not properly securing data. Additionally, the order shows that organizations that make the decision to move to phishing-resistant MFA now can potentially protect themselves against future sanctions. The requirements of the order show that the FTC thinks that  phishing-resistant MFA provides the best security when it comes to protecting personal data. 

Companies just like yours are turning to Beyond Identity to protect their vital data and resources, as well as  the organization itself and its leaders. By using a phishing-resistant MFA that is frictionless, Beyond Identity helps ensure your security meets government requirements and your customers' expectations. 

To learn how we can help your organization use phishing-resistant MFA, book a demo today