FTC Takes Action Against Drizly Online Alcohol Marketplace for Security
January 11, 2023
Federal Trade Commission has finalized an order with online alcohol
marketplace Drizly and its CEO over security failures by the company
that the FTC said led to a data breach exposing the personal information
of about 2.5 million consumers.
According to an FTC complaint first announced in October 2022, Drizly
and its CEO James Cory Rellas were alerted to security vulnerabilities
two years prior to the 2020 breach yet failed to take steps to protect
consumers’ data from hackers despite publicly claiming to have
appropriate security protections in place. The FTC said Drizly failed to
implement basic security measures, stored critical database information
on an unsecured platform, and neglected to monitor security threats.
FTC’s order, among other things, requires Drizly to destroy any personal
data it collected that is not necessary for it to provide products or
services to consumers and must refrain from collecting or storing
personal information unless it is necessary for specific purposes
outlined in a retention schedule. It must also publicly detail on its
website the information it collects and why such data collection is
necessary. In addition, Drizly is required to implement a comprehensive
information security program and establish security safeguards to
protect against the types of security incidents outlined in the
In addition to the requirements imposed on Drizly, Rellas must implement
an information security program at future companies if he moves to a
business collecting consumer information from more than 25,000
individuals, and where he is a majority owner, CEO, or senior officer
with information security responsibilities.
After receiving no substantive comments, the Commission voted 4-0 to
finalize the complaint and order against Drizly.