top of page

According to an FTC order, Drizly data security will be monitored for 20 years.

As part of a final agreement with the Federal Trade Commission (FTC) regarding a data breach that affected 2.5 million consumers, online alcohol retailer Drizly and its CEO have committed to data security rules and to be evaluated by an independent monitor for up to 20 years.

In October, the FTC filed a lawsuit against Drizly, stating that the company and CEO James Cory Rellas were aware of security flaws but chose to do nothing about them. 

The FTC claimed that the business unnecessarily held customer emails, addresses, phone numbers, and other data on an unsecure platform with gaps that let hackers to obtain access.

The complaint claims that Rellas and Drizly, an Uber company, were negligent in allowing a 2020 data breach that resulted in the loss of 2.5 million consumers' personal information.

A Drizly executive took part in a one-day computer programming exercise on GitHub, where Drizly kept its data, and that is when the breach happened. According to the complaint, the business failed to stop the executive's access after the incident, and hackers finally gained access two years later.

The FTC's ruling, which was approved 4-1, mandates that Drizly remove all unnecessary personal data it has gathered within 60 days and forbids it from subsequently gathering and storing similar data. It is required to inform the FTC of the data it deletes.

A comprehensive information security system must be put in place by Drizly, including employee security training, the appointment of a high-level employee to manage the security measures, the setting of access restrictions for customer personal data, and other measures.

According to the order, it must develop a documented security policy with standards and mechanisms for enforcing adherence to the security measures.

Drizly must hire a third party to determine if its security program is fully compliant, and then present the FTC with the supporting paperwork. 2023 will see the completion of two assessments, followed by one every two years for the following 20 years.

Rellas was criticized by the FTC for failing to act after allegedly being informed of the flaws in Drizly's platform, and the agency imposed conditions that will apply to him for ten years, including if he accepts a position as an executive or owner with any other businesses that gather data on more than 25,000 people.

Rellas has been in charge of selecting executives for practically every department of Drizly, but the complaint claims that he "failed to hire a senior executive responsible for the security of consumers' personal information collected and maintained by Drizly."

A Drizly representative wrote in an email statement on Wednesday, "We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us."



bottom of page