FTC Settles with Online Alcohol Company Drizly Following Data Breach

  • The FTC has settled with online alcohol vendor Drizly, LLC and its CEO James Rellas (collectively, “Drizly”), to resolve allegations that Drizly violated the FTC Act by failing to employ reasonable security practices to protect consumers’ personal information and by making false and misleading statements that appropriate safeguards were used to protect that information.
  • According to the Complaint, Drizly failed to develop adequate written information standards and policies; stored login credentials in a nonsecure repository; and failed to impose reasonable data access controls, monitor for unauthorized attempts to transfer or exfiltrate consumers’ personal information, engage in regular testing and risk assessments, or have a policy in place for inventorying and deleting consumers’ personal information that was no longer necessary. The company also made misleading statements concerning its information security practices in, among other places, its Privacy Policy. In 2020, a production environment data breach resulted in the exfiltration of information relating to 2.5 million Drizly consumers.
  • Under the FTC’s Decision and Order, Drizly must cease any misrepresentation of its data collection and security programs; delete any personal consumer information not needed to conduct business; publish a data retention schedule; and maintain a comprehensive information security program, among other things. Further, Mr. Rellas, as an individual, must maintain a suitable information security program for any business for which he is a majority owner or senior officer.