The FTC’s decision against Drizly and its CEO, James Cory Rellas, echoed loud and clear: the agency is serious about companies’ protecting consumer’s data, and if a CEO is not going to have direct oversight of the data collected, you need to hire someone to do it for you.
To better understand what happened in the Drizly case, here are the facts to know:
- Boston-based Drizly, a subsidiary of Uber, operates an online marketplace where consumers of legal drinking age can place orders with retailers to buy beer, wine, and alcohol for delivery.
- The company collects and stores on Amazon Web Services cloud computing service a wide range of personal information from consumers – such as email, postal addresses, phone numbers, unique device identifiers, geolocation information, and data purchased from third parties.
- Drizly and Rellas were alerted to problems with the company’s data security procedures following an earlier security incident. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account.
- Drizly failed to take steps to adequately address its security problems, while publicly claiming to have appropriate security protections in place.
- Two years later, a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and stole customers’ information.
The FTC then claimed Drizly and Rellas:
- Failed to implement basic security measures: The FTC alleged that – despite statements claiming the company used appropriate security practices to protect consumer data – Drizly and Rellas failed to put in place reasonable safeguards to secure the personal information it collected and stored. It did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.
- Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub. For example, in its 2018 complaint against Uber, the FTC specifically publicized and described poor security practices involving the use of Uber’s GitHub account that contributed to a data breach involving the ridesharing app.
- Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.
- Exposed customers to hackers and identity thieves: Following the company’s data breach, personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web, where criminals post and sell data stolen by hackers. Identity thieves and other malicious actors can use such data to open fraudulent lines of credit or commit other fraud. When unauthorized accounts are opened in their name, consumers can suffer financial harm by incurring debt and damaging their credit.
To clean up this situation, the FTC ordered Drizly and Rellas to:
- Destroy unnecessary data: Drizly is required to destroy any personal data it collected that is not necessary for it to provide products or services to consumers. It must also document and report to the Commission what data it destroyed.
- Limit future data collection: Going forward, Drizly must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also must publicly detail on its website the information it collects and why such data collection is necessary.
- Implement an information security program: Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.
- These orders will follow Rellas wherever he goes as a CEO.
The enforcement actions against Grizly by the FTC reflect back to some foundational beliefs for many privacy professionals and shows how the FTC is standing by its mission to protect consumers.
∇ ∇ ∇
As a business owner or a solopreneur of an ecommerce business, you may be wondering, “How can I protect my customers’ data on top of all of the other tasks I must do to keep revenue flowing into the business??”
The best practice is to create a cradle system for business transactions and daily operations to protect the consumer data (demographics, address, email, etc.) collected for business purposes by default.
Now is the time to do a quick check of your awareness of the protections level of the consumer information you collect for business purposed. How confident are you when the following occurs within your business operations or daily transactions:
- Choice and Consent. Do you provide your customers options to opt-in or opt-out of data collection?
- Access and Participation. Can your customers review and correct the information that you have stored?
- Integrity and Security. Do you keep your customer’s data (information) accurate and secure while using wifi?
- Enforcement and Redress. Are you following by the PCI DSS? Does the CCPA apply to your online business?
If you feel nervous or unsure when you ask yourself these questions, we invite you to recognize and celebrate this opportunity for proactive improvement and growth, before any negative consequences occur like they did for Grizly and Rellas.
You can contact Kuma to help you:
- conduct a wireless security test,
- help you design a progressive privacy-by-design action for your business,
- or start a conversation to determine what you need.
You’re in the right place, and we would be honored to guide you towards a more secure future for your organization’s revenue and reputation.