On Monday, the Federal Trade Commission (FTC) released a draft Decision and Order embodying an agreement between it and respondents Drizly, LLC (Drizly) and James Cory Rellas (Rellas), Drizly’s CEO. The Decision and Order is intended to remedy Drizly’s alleged failure “… to use appropriate information security practices to protect consumers’ personal information,” which failure “ … allowed a malicious actor to access Drizly’s consumer database and steal information relating to 2.5 million consumers … “ The FTC further alleges that “Rellas is responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable security practices.”
The respondents alleged errors and omissions are detailed in a draft complaint, which is quoted above, that the FTC released with the draft Decision and Order along with other documentation, including a press release discussing the matter in an over all fashion. In the draft complaint, the FTC describes Drizly as an operator “… of an e-commerce platform that enables local retailers to sell alcohol online to consumers of legal drinking age.” According to the FTC, Drizly became a wholly owned subsidiary of Uber Technologies, Inc. in October 2021.
The draft complaint alleges numerous ways in which Drizly allegedly failed to implement appropriate safeguards for consumer information, including: failure to develop adequate written protocols; failure to implement those it did have, and failure to train its workforce; failure to securely store data and impose access controls; failure to monitor for unauthorized attempts to transfer data; failure test security features or conduct regular risk assessments; and failure to have a regimen for deleting consumers’ information that was no longer needed. The FTC also alleges that Drizly made deceptive public comments about its security protocols.
The draft complaint has two causes of action: Drizly’s Unfair Information Security Practices; and Drizly’s Deceptive Security Statements. Both causes of action refer to the “Respondents,” and FTC characterizes “ The [alleged] acts and practices of the Respondents’” as violating Section 5(a) of the Federal Trade Commission Act.
The draft Decision and Order, if effective, will impose comprehensive requirements on the “Corporate Respondent” regarding its information security disclosures and practices. The “Individual Respondent will also be required to adhere to agreed protocols for ten years even if he leaves Drizly to take certain defined roles at some other entity.
The Agreement Containing Consent Order, another document released by the FTC, provides that “Proposed Respondents neither admit or deny the allegations in the draft Complaint, except as specifically stated in the Decision and Order [and except for ‘facts necessary to establish jurisdiction’].” Further procedural steps are necessary for the draft complaint to be issued and the Decision and Order to become effective.
One Commissioner dissented from the decision to name Rellas as a Respondent.
Drizly’s counsel is ZwillGen PLLC . Counsel for Mr. Rellas is Latham & Watkins LLP.
