Drizly FTC Order Introduces Significant Minimization, Deletion and Retention Requirements

On October 24, 2022, the Federal Trade Commission (“FTC”) issued an order (the “Order”) against the online alcohol marketplace, Drizly, and its CEO, James Cory Rellas, alleging security failures that resulted in a data breach exposing the personal information of approximately 2.5 million consumers. In reaching this conclusion, the FTC alleges that Drizly failed to implement reasonable safeguards to protect the personal information it collected and stored, such as, two-factor authentication for GitHub, access controls for personal data, sufficient written security policies, and appropriate employee training regarding security.

At a high level, the Order imposes several requirements with which Drizly’s information security program must comply going forward as well as obligations relating to Drizly’s handling of data (i.e. minimization, deletion, retention). Notably, and in line with the FTC’s recent scrutiny executive responsibility for privacy and security issues, the Order does not restrict its requirements to Drizly, but also ties some obligations to its CEO so that certain businesses with which he is involved in the future must also comply with the relevant parts of the Order.

Specifically, the Order outlines several steps that (1) Drizly and its successors and assigns (the “Corporate Respondent”), (2) any business that the Corporate Respondent controls directly or indirectly (“Covered Business”), and (3) Rellas must take. Notably, several of these requirements are similar to other laws and may indicate the FTC’s expectations of companies in the near future.

  • Mandated Deletion and Data Minimization. The Order requires that (1) the Corporate Respondent delete all personal information about consumers that is not being used to provide products or services, (2) provide a statement to the Commission confirming the same (within 60 days of the Order), and (3) minimize future collection of data to that necessary for specific purposes outlined in a retention schedule.

Notably, although the FTC does not have currently have a specific “minimization” regulatory requirement, several new privacy laws coming into effect in 2023 do have such a requirement; specifically, the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, and Virginia Consumer Data Protection Act require that entities minimize data where possible. We also note that the General Data Protection Regulation (“GDPR”), similarly requires entities to limit their data collection to what is needed. Collectively, this recent enforcement is another signal that companies should be mindful of their data collection and minimize the amount of data collected to that which is necessary for providing products and services.

  • Data Retention Limits. The Order also requires that the Corporate Respondent make a public retention schedule (within 60 days) that outlines the purpose for collection of types of personal information, business need for retaining such information, and set timeframe to deletion (and provide the Commission with a statement confirming the same). The Corporate Respondent must also update the retention schedule before collecting any new type of personal information.

Notably, the CPRA requires that companies disclose their retention of personal information and clarify why such information is being retained. This requirement also aligns with GDPR and is similar to requirements in the Illinois Biometric Information Privacy Act.

  • Mandated Information Security Program for Covered Businesses. The Order requires that within 60 days any Covered Business must establish and implement a comprehensive information security program, which program must include several requirements that may be instructive for any company’s information security program.

Specifically, the written information security program must include the provision of annual reports (or within 30 days after a security incident) to the board of directors, designation of a qualified employee to oversee the program, annual assessments of risks with respect to personal information, written policies and procedures (i.e. regarding implementation of safeguards, employee training, technical measures internally and for third parties, etc.), multi-factor authentication (“MFA”) for all employee, contractor, and affiliate access to any assets storing specified information, the offer of MFA for consumer accounts, access control measures, auditing rights, monitoring and logging standards and verification, technical measures to safeguard against unauthorized access, penetration testing, data inventory and deletion, among others. Furthermore, the Covered Business must assess its safeguards on at least an annual basis, vulnerability test at least once every four months, penetration test at least annually, use appropriate service providers, and modify the information security program based on any identified weaknesses.

  • Mandated Information Security Program for Certain Businesses of the Individual Respondent. For 10 years after the Order, if Rellas is a majority owner or functioning as a senior officer of a company, the business must establish a comprehensive information security program, which includes written policies and procedures, reporting to the board of directors, a designated employee for information security oversight, annual assessments, implements appropriate safeguards, vulnerability testing at least every 4 months, and annual penetration tests, among others. While these requirements themselves are not a light lift, this is the first time that the FTC has crafted a requirement that follows an executive.
  • Covered Incident Reports. Covered Businesses must submit a report to the Commission regarding any incident that results in a Covered Business notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization. Such reports must be made within 10 days of notification to any United States federal,  state, or local entity. The report must include the date, a description of the facts, the types of information impacted, number of consumers impacted, remediation taken to date, and copies of notices sent to other entities.

Several states require that entities disclose a security incident to the relevant state regulator. Although this Order requires that Covered Businesses also make such report to the Commission, the timeline and content of notice appear to be in line with similar data breach notification requirements under various state laws.

As outlined above, the Order imposes several requirements on both the Corporate Respondent and Rellas and demonstrates the FTC’s continued scrutiny of information security programs and more detailed expectations of technical and governance controls.  These themes, which are also reflected in the FTC’s recent rulemaking efforts, will be important to monitor into 2023.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.