Thought Leadership

Drizly FTC Verdict Could Set New Precedent for CEOs

Written By
Beyond Identity Blog
Published On
Nov 15, 2022

In 2020, Drizly, an alcohol delivery service that is now a subsidiary of Uber, announced a data breach that affected the personal information of up to 2.5 million customer accounts. Leaked data included phone numbers, IP addresses, and geolocation data for the accounts' billing addresses. 

In response, the FTC released a decision and order mandating sanctions against both Drizly  and the company’s CEO, James Cory Rellas. Rellas and the company must follow the sanctions for the term of the order—20 years. If Rellas moves to another company, where he is responsible for data for more than 25,000 people, the sanction terms follow him to that company. 

The FTC decision to not only hold a company leader personally responsible for securing company data, but to ensure that decision follows them for the rest of their career, is groundbreaking. Security breaches could now have career-long implications for CEOs. 

Requirements of the order 

The FTC order details specific requirements both the company and Rellas must follow. They are required to: 

  • Create written documentation about the content, implementation, and maintenance of the Information Security Program.
  • Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program.
  • Conduct employee cybersecurity training.
  • Destroy unnecessary data.
  • Design, implement, maintain, and document safeguards.
  • Test and monitor the effectiveness of the safeguards in place at least once every 12 months.

The specifics of the order demonstrate that the FTC values high-level security. As part of the requirement for creating safeguards, the order specifically mentions, multiple times, how Drizly and Rellas must use stronger authentication to protect data in the future.  

The order requires Drizly and Rellas to use phishing-resistant MFA for all employees, contractors, and affiliates seeking access to any assets, including databases storing covered information. The order specifies excluding telephone or SMS-based authentication methods. Drizly and Rellas are also required to offer MFA for consumers and not use data collected during the authentication process. 

Not surprisingly, the FTC's order mirrors the phishing-resistant MFA requirement in the government mandate released to all government agencies earlier this year. Both the FTC order and the US government mandate illustrate the importance regulatory agencies are placing on phishing-resistant MFA.

Precedent for personal culpability 

Experts are pointing to the Drizly order as a precedent for future sanctions where leaders are held personally responsible for their organization not properly securing data. Additionally, the order shows that organizations that make the decision to move to phishing-resistant MFA now can potentially protect themselves against future sanctions. The requirements of the order show that the FTC thinks that  phishing-resistant MFA provides the best security when it comes to protecting personal data. 

Companies just like yours are turning to Beyond Identity to protect their vital data and resources, as well as  the organization itself and its leaders. By using a phishing-resistant MFA that is frictionless, Beyond Identity helps ensure your security meets government requirements and your customers' expectations. 

To learn how we can help your organization use phishing-resistant MFA, book a demo today

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Drizly FTC Verdict Could Set New Precedent for CEOs

Download

In 2020, Drizly, an alcohol delivery service that is now a subsidiary of Uber, announced a data breach that affected the personal information of up to 2.5 million customer accounts. Leaked data included phone numbers, IP addresses, and geolocation data for the accounts' billing addresses. 

In response, the FTC released a decision and order mandating sanctions against both Drizly  and the company’s CEO, James Cory Rellas. Rellas and the company must follow the sanctions for the term of the order—20 years. If Rellas moves to another company, where he is responsible for data for more than 25,000 people, the sanction terms follow him to that company. 

The FTC decision to not only hold a company leader personally responsible for securing company data, but to ensure that decision follows them for the rest of their career, is groundbreaking. Security breaches could now have career-long implications for CEOs. 

Requirements of the order 

The FTC order details specific requirements both the company and Rellas must follow. They are required to: 

  • Create written documentation about the content, implementation, and maintenance of the Information Security Program.
  • Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program.
  • Conduct employee cybersecurity training.
  • Destroy unnecessary data.
  • Design, implement, maintain, and document safeguards.
  • Test and monitor the effectiveness of the safeguards in place at least once every 12 months.

The specifics of the order demonstrate that the FTC values high-level security. As part of the requirement for creating safeguards, the order specifically mentions, multiple times, how Drizly and Rellas must use stronger authentication to protect data in the future.  

The order requires Drizly and Rellas to use phishing-resistant MFA for all employees, contractors, and affiliates seeking access to any assets, including databases storing covered information. The order specifies excluding telephone or SMS-based authentication methods. Drizly and Rellas are also required to offer MFA for consumers and not use data collected during the authentication process. 

Not surprisingly, the FTC's order mirrors the phishing-resistant MFA requirement in the government mandate released to all government agencies earlier this year. Both the FTC order and the US government mandate illustrate the importance regulatory agencies are placing on phishing-resistant MFA.

Precedent for personal culpability 

Experts are pointing to the Drizly order as a precedent for future sanctions where leaders are held personally responsible for their organization not properly securing data. Additionally, the order shows that organizations that make the decision to move to phishing-resistant MFA now can potentially protect themselves against future sanctions. The requirements of the order show that the FTC thinks that  phishing-resistant MFA provides the best security when it comes to protecting personal data. 

Companies just like yours are turning to Beyond Identity to protect their vital data and resources, as well as  the organization itself and its leaders. By using a phishing-resistant MFA that is frictionless, Beyond Identity helps ensure your security meets government requirements and your customers' expectations. 

To learn how we can help your organization use phishing-resistant MFA, book a demo today

Drizly FTC Verdict Could Set New Precedent for CEOs

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

In 2020, Drizly, an alcohol delivery service that is now a subsidiary of Uber, announced a data breach that affected the personal information of up to 2.5 million customer accounts. Leaked data included phone numbers, IP addresses, and geolocation data for the accounts' billing addresses. 

In response, the FTC released a decision and order mandating sanctions against both Drizly  and the company’s CEO, James Cory Rellas. Rellas and the company must follow the sanctions for the term of the order—20 years. If Rellas moves to another company, where he is responsible for data for more than 25,000 people, the sanction terms follow him to that company. 

The FTC decision to not only hold a company leader personally responsible for securing company data, but to ensure that decision follows them for the rest of their career, is groundbreaking. Security breaches could now have career-long implications for CEOs. 

Requirements of the order 

The FTC order details specific requirements both the company and Rellas must follow. They are required to: 

  • Create written documentation about the content, implementation, and maintenance of the Information Security Program.
  • Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program.
  • Conduct employee cybersecurity training.
  • Destroy unnecessary data.
  • Design, implement, maintain, and document safeguards.
  • Test and monitor the effectiveness of the safeguards in place at least once every 12 months.

The specifics of the order demonstrate that the FTC values high-level security. As part of the requirement for creating safeguards, the order specifically mentions, multiple times, how Drizly and Rellas must use stronger authentication to protect data in the future.  

The order requires Drizly and Rellas to use phishing-resistant MFA for all employees, contractors, and affiliates seeking access to any assets, including databases storing covered information. The order specifies excluding telephone or SMS-based authentication methods. Drizly and Rellas are also required to offer MFA for consumers and not use data collected during the authentication process. 

Not surprisingly, the FTC's order mirrors the phishing-resistant MFA requirement in the government mandate released to all government agencies earlier this year. Both the FTC order and the US government mandate illustrate the importance regulatory agencies are placing on phishing-resistant MFA.

Precedent for personal culpability 

Experts are pointing to the Drizly order as a precedent for future sanctions where leaders are held personally responsible for their organization not properly securing data. Additionally, the order shows that organizations that make the decision to move to phishing-resistant MFA now can potentially protect themselves against future sanctions. The requirements of the order show that the FTC thinks that  phishing-resistant MFA provides the best security when it comes to protecting personal data. 

Companies just like yours are turning to Beyond Identity to protect their vital data and resources, as well as  the organization itself and its leaders. By using a phishing-resistant MFA that is frictionless, Beyond Identity helps ensure your security meets government requirements and your customers' expectations. 

To learn how we can help your organization use phishing-resistant MFA, book a demo today

Drizly FTC Verdict Could Set New Precedent for CEOs

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

In 2020, Drizly, an alcohol delivery service that is now a subsidiary of Uber, announced a data breach that affected the personal information of up to 2.5 million customer accounts. Leaked data included phone numbers, IP addresses, and geolocation data for the accounts' billing addresses. 

In response, the FTC released a decision and order mandating sanctions against both Drizly  and the company’s CEO, James Cory Rellas. Rellas and the company must follow the sanctions for the term of the order—20 years. If Rellas moves to another company, where he is responsible for data for more than 25,000 people, the sanction terms follow him to that company. 

The FTC decision to not only hold a company leader personally responsible for securing company data, but to ensure that decision follows them for the rest of their career, is groundbreaking. Security breaches could now have career-long implications for CEOs. 

Requirements of the order 

The FTC order details specific requirements both the company and Rellas must follow. They are required to: 

  • Create written documentation about the content, implementation, and maintenance of the Information Security Program.
  • Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program.
  • Conduct employee cybersecurity training.
  • Destroy unnecessary data.
  • Design, implement, maintain, and document safeguards.
  • Test and monitor the effectiveness of the safeguards in place at least once every 12 months.

The specifics of the order demonstrate that the FTC values high-level security. As part of the requirement for creating safeguards, the order specifically mentions, multiple times, how Drizly and Rellas must use stronger authentication to protect data in the future.  

The order requires Drizly and Rellas to use phishing-resistant MFA for all employees, contractors, and affiliates seeking access to any assets, including databases storing covered information. The order specifies excluding telephone or SMS-based authentication methods. Drizly and Rellas are also required to offer MFA for consumers and not use data collected during the authentication process. 

Not surprisingly, the FTC's order mirrors the phishing-resistant MFA requirement in the government mandate released to all government agencies earlier this year. Both the FTC order and the US government mandate illustrate the importance regulatory agencies are placing on phishing-resistant MFA.

Precedent for personal culpability 

Experts are pointing to the Drizly order as a precedent for future sanctions where leaders are held personally responsible for their organization not properly securing data. Additionally, the order shows that organizations that make the decision to move to phishing-resistant MFA now can potentially protect themselves against future sanctions. The requirements of the order show that the FTC thinks that  phishing-resistant MFA provides the best security when it comes to protecting personal data. 

Companies just like yours are turning to Beyond Identity to protect their vital data and resources, as well as  the organization itself and its leaders. By using a phishing-resistant MFA that is frictionless, Beyond Identity helps ensure your security meets government requirements and your customers' expectations. 

To learn how we can help your organization use phishing-resistant MFA, book a demo today

Book

Drizly FTC Verdict Could Set New Precedent for CEOs

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.