Drizly logo on website page showing FTC consent order and demand for accountability

FTC Consent Order Against Drizly CEO Sets Cyber Accountability Precedent

As regulators get more serious about enforcing data protection rules, the severity of penalties issued against enterprises who fail to secure their customer data continues to grow. Fines have recently ranged from $85 million (Yahoo) to $1.19 billion (Didi Global). While these fines are sizable and represent a crackdown on the companies, executives have historically avoided personal liability or accountability for failures of their security programs.

However, the demand for better executive accountability is on the rise as seen in the recent cases of Uber and Drizly. Uber Technologies former Chief Information Security Officer (CISO), Joseph Sullivan, was convicted on a federal charge of obstructing an FTC investigation and covering up a data breach in 2016 where the personal information of over 57 million users was stolen. Sullivan was in charge of security operations and cyber security at the company; as revealed at trial, he orchestrated a scheme to have Uber pay the hackers $100,000 in a bid to preclude the release of the stolen data and keep the attack private. The illegal plan was uncovered one year later following the appointment of Uber’s new CEO, Dara Khosrowshahi.

Drizly, a Boston-based alcohol delivery company, also faced an FTC investigation in the wake of a breach involving the exposure of private information of approximately 2.5 million consumers. The Drizly CEO, James Cory Rellas, is being held accountable for allegedly failing to implement adequate information security measures to protect customer data confidentiality. The shortcomings of the security program were reportedly known internally as far back as two years before the breach, yet allegedly neither Rellas nor Drizly acted to mitigate known risks and implement adequate security controls.

In a precedent-setting move, in addition to requiring Drizly to adhere to a set of mandatory privacy and security measures, the FTC is proposing a personal consent order to be imposed on Mr. Rellas for what the agency is calling his “role in presiding over unlawful business practices.” The order would require Mr. Rellas to implement a security program in any future role as a majority owner, CEO, or senior officer with information security responsibilities at a business collecting consumer information from more than 25,000 individuals.

The growing focus on cybersecurity by FTC and SEC alike signals a paradigm shift in the enforcement of corporate governance mandates and the growing demand for executive accountability for cybersecurity failures. Senior leaders who have historically considered cybersecurity an “IT problem” as opposed to an integral component of its enterprise risk posture, are now finding themselves personally in the line of fire, as regulators demonstrate a renewed interest in privacy and security mandates.

In an effort to keep consumers’ information protected and executives accountable, the standards for meeting compliance – and the stakes for not meeting them – are higher than ever.

Good cyber hygiene is essential, especially for the companies working with sensitive and classified data in great volumes. Cybersecurity breaches continue to surge, as a total of 108.9 million accounts were breached in the third quarter of 2022 – a 70% increase over the previous quarter. Although security practitioners traditionally differentiate between compliance and security, ostensibly compliant organizations routinely get breached.

Thankfully, novel approaches to compliance management can empower real-time control observability and up-to-the-minute risk visibility that enable well-informed risk management decisions. Cybersecurity and privacy compliance frameworks, standards, and regulatory mandates provide consistent guidelines for the selection, implementation, and continuous validation of security controls. The challenge historically has been getting compliance to operate on the same timescale as security operations, what I’ve termed “compliance latency,” an inherent flaw of most traditional compliance programs.

But compliance can and should be able to deliver actual risk and security value to the enterprise, if only compliance management were able to rely on objective factual data about the state of technical security controls as opposed to opinions collected through periodic surveys.

The unrelenting march towards greater transparency and accountability across the cybersecurity and privacy arena should serve as a wake-up call to enterprise leaders who have traditionally outsourced their responsibility to the CIO, CISO, or compliance and audit organizations. The security and privacy buck stops with the CEO, as made clear by recent civil and criminal enforcement action.

While compliance programs have traditionally been viewed as a cost of doing business, the converged risk-compliance-security strategy offers enterprises a way to unlock hidden value while uncovering hidden risk within their environments. More importantly, it affords leaders a consistent model for not only understanding their enterprise risk posture, but also the level of confidence they should have in their own internal and external cybersecurity compliance reporting.

Regardless of the framework or standard established to achieve measurable security objectives, companies are consistently struggling with compliance due to a misalignment between compliance, security, and risk. The interconnected and interdependent nature of today’s digital economy creates complex matrices of risk exposures whose scale impacts every domain.

As accountability demands progress, executives are increasingly questioning their own compliance confidence and potential civil and criminal exposure. It’s time for business executives, CISOs, and compliance leaders to rethink their approach to compliance as a model for ensuring their enterprise’s overall cybersecurity posture.

The Drizly case serves as a warning to other senior executives: accountability for cybersecurity negligence is here to stay. The regulators are sending a clear message: no matter the complexity of cybersecurity and compliance, plausible deniability is out, accountability is in.

Leaders should take a proactive approach to continuous, data-driven cybersecurity compliance management as the foundation of a mature enterprise risk management program.