FTC Action Against Drizly Offers Cybersecurity Caution
December 13, 2022
You may have heard the adage "never let a good disaster go to waste." This is especially fitting in the case of cybersecurity breaches, where every incident offers an opportunity to learn and fill in the gaps—particularly when it happens to someone else. Such events provide a free, front-row seat to how companies, from big to small, fail to maintain basic data security and privacy policies and procedures, and the fallout incurred from such failures.
Case in point: the enforcement action taken in late fall by the U.S. Federal Trade Commission (FTC) against online alcohol marketplace Drizly and the resulting settlement agreement. The FTC alleged Drizly knew about its data security shortcomings yet failed to protect personal data from a data breach that affected 2.5 million customers.
Apart from the parade of embarrassing and obvious cybersecurity gaps (see the items below), this case provides two additional lessons worth noting:
- First, the settlement agreement is not just between Drizly and the FTC; it includes the Drizly CEO. Holding the CEO directly accountable shows how seriously the FTC, and likely other regulators, view cybersecurity breaches that affect consumers.
- Second, the FTC's approach highlights the importance of data minimization, or a limitation on what companies collect, a best practice that has been in use for decades. With this surfacing in Drizly's case, it is reasonable to expect that the FTC and state attorneys general, especially in states that have enacted privacy legislation (California, Utah, Colorado, Virginia, and Rhode Island) will pay close attention to it in the near future.
A review of the FTC's requirements in the settlement agreement makes it clear that none are earth shattering and all are part of what make for a legally reasonable cybersecurity regime. If your organization is missing any of the below, we recommend taking remedial action without delay.
- Hire a professional responsible for implementing the data security program.
- Formalize your program policies and procedures by putting them in writing—and then implement them. Include robust employee training.
- When storing passwords, use industry-standard protocols. Drizly used MD5, an insecure hash function that has been deprecated for almost a decade.
- Require multifactor authentication whenever possible. If you choose not to, be prepared to back up your decision and create an appropriate workaround.
- Conduct periodic vulnerability testing and monitor for exfiltration.
We Can Help
Maslon can help answer questions or address concerns about your company's data security practices and determine potential steps necessary to defend against breaches.