Significantly, if Rellas becomes employed at a different company, he is required to implement an information security program in any business that collects personal information of more than 25,000 individuals, where he is a majority owner or is an officer that has security responsibilities. Hire a third-party to conduct biennial security assessments for the next 20 years.Implement an information security system, which should include measures such as an employee to oversee the program, a procedure for when a data breach occurs, and employee training.Publicly disclose the personal information it collects and reasons for collecting.Refrain from collecting any personal information unless its specific purpose is outlined in Drizly’s publicly available retention schedule.Delete all personal information collected that is not essential to it providing services and products to its consumers and notify the FTC of what information was deleted.The order outlines several requirements that Drizly and Rellas must undertake. Exposed customers to hackers and identity thieves when the information exfiltrated during the breach was put up for sale on the dark web.Neglected to monitor network for external threats of unauthorized access.Stored sensitive login credentials on the unsecured platform, GitHub despite well documented security risks concerning the platform.Failed to implement basic security measures such as two-factor authentication, access controls and employee training.The FTC also alleged that Drizly and Rellas: ![]() Moreover, Rellas neglected to hire a senior executive responsible for managing the security of consumers’ personal information collected and maintained by Drizly. Specifically, Drizly did not securely store database login credentials, which allowed a malicious actor to gain access to and steal the data of those 2.5 million people. The main factor that could lead to individual liability is when an executive has awareness of cybersecurity and data privacy practices within the organization.Īccording to the FTC’s complaint, in 2018 both Drizly and Rellas were notified about security vulnerabilities prior to the data breach but failed to adequately mitigate these vulnerabilities. Under the Federal Trade Commission Act, a person can be held individually liable when the individual: (1) participated directly in the deceptive trade practice or had had authority to control them and (2) had knowledge of the deceptive conduct. The FTC’s decision marks the first time it has held an executive personally liable for failing to follow cybersecurity and data privacy compliance. Notably, the order extends to any future employment of Rellas for the next 10 years. Under the order, Drizly must implement data security measures that include the minimization, deletion, and retention of personal information. ![]() 10, 2023, the Federal Trade Commission (FTC) finalized its order against online alcohol marketplace, Drizly, and its CEO, James Cory Rellas for failing to implement security safeguards that led to a data breach in 2020 that exposed 2.5 million users’ personal information. Cybersecurity Awareness Month – FTC Holds Corporate Executive Personally Liable for Cybersecurity FailuresĬybersecurity Awareness Month – FTC Holds Corporate Executive Personally Liable for Cybersecurity Failuresīy: Jessica L.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |