FTC Finalizes Consent Order with Drizly Following Security Breach Affecting 2.5 Million Customers

  • The FTC finalized a consent order with Drizly, LLC and a related individual (collectively, “Drizly”) regarding alleged violations of the FTC Act. Drizly operates an e-commerce platform that allows local retailers to sell alcohol to consumers and facilitate its delivery.
  • According to the FTC’s complaint, Drizly failed to use appropriate information security practices to protect consumers’ personal information. The FTC claims that Drizly’s alleged security flaws allowed a malicious actor to access Drizly’s consumer database and steal information relating to 2.5 million consumers.
  • Under the terms of the consent order, Drizly must undertake data minimization efforts, refrain from collecting or storing unnecessary personal information, set appropriate data retention limits for any necessary personal information collected, implement a comprehensive information security program that provides, among other things a multi-factor authentication option for consumers, and obtain biennial third party information security assessments for 20 years.