FTC Takes Personal Aim At Drizly CEO For Crap Security Practices
from the a-strange-thing-called-personal-accountability dept
Thanks to our corruption-fueled failure to pass even a basic privacy law for the internet era, the US has seen a steady parade of privacy scandals, hacks, and data breaches. More often than not involving companies with pathetic privacy and security standards, which are dinged repeatedly with pathetic wrist slap fines that are just absorbed as the cost of doing business (see: T-Mobile).
If you’re an executive at a company with shit security and privacy standards and practices, meaningful penalties are hard to come by. If the hack or breach is bad enough, after enough deliberation you might lose your job (see: Equifax), but outside of a few days of bad press there’s very often little meaningful accountability for executives routinely responsible for ongoing US privacy and security dysfunction.
The FTC under Lina Khan is trying to change this dynamic somewhat. This week the agency unveiled a complaint against booze-delivery service Drizly, clearly spelling out how the company failed to implement basic consumer data security measures, stored critical consumer data on unsecured platforms, failed to monitor its own network for security threats, and routinely ignored warnings about lax security.
All told, the data of 2.5 million customers was exposed because the company cared more about growth and making money than basic security and consumer privacy, a pretty common story.
The press release indicates that as part of the consent agreement with the FTC, Drizly has to destroy the consumer data it over-collected, limit future data collection to just absolutely essential data, and implement comprehensive security and privacy standards.
But it also does something interesting, it specifically singles out Drizly CEO James Cory Rellas, mandating that he must be subject to privacy oversight at any future companies he works at:
Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.
It’s telling that it’s seen as a radical novelty for US regulators to try and hold executives personally responsible for lax security and privacy practices after thirty straight years of scandals. You’d think it’s a good thing for executives to face actual reputational penalties for these kinds of fuck ups, and there’s growing pressure to apply additional financial penalties for incompetent executives.
The problem: the FTC generally lacks the resources to both implement and enforce this kind of action at any real scale, and most US companies know this (hell, they created the problem through relentless lobbying to undermine the agency). The FTC voting majority is also subject to the whims of presidential elections, meaning the FTC could see dramatic turnover under a new president and just… stop doing this sort of thing (the preferred option for those that care exclusively about making money).
The root of our problem remains that we still haven’t passed a competent, basic privacy law for the internet era because the United States is simply too corrupt to do so. The combined lobbying force of numerous industries has simply proven too difficult for the adults in the room to overcome. So we get either no law at all, laws ghost written by corporations that only pretend to protect consumer data, or the occasional incoherent mess of a state law that’s also not meaningfully enforced at any real scale.
Filed Under: consumer data, fines, ftc, hacks, james cory rellas, leaks, privacy, privacy law, regulatory oversight
Companies: drizly
Comments on “FTC Takes Personal Aim At Drizly CEO For Crap Security Practices”
“All told, the data of 2.5 million customers was exposed because the company cared more about growth and making money than basic security and consumer privacy, a pretty common story.”
It’s basic business. Infrastructure, security, etc., is always on the negative side of a balance sheet. It makes zero direct revenue, but costs money to maintain. If there’s not a direct business reason to support it (such as a direct threat of losing customers because it’s had a recent breach), then you’ll always be dealing with an overworked, underpaid staff working with minimal budgets.
I’ve seen companies collapse because they’ll give a massive bonus to salespeople but not allow budgets to infrastructure to cope with the new traffic. The idea that some of these people would fund a competent, well budgeted security staff until after a major breach is almost laughable.
Re:
It would seem to make sense, then, to “limit … data collection to just absolutely essential data”, without being forced by the FTC. Perhaps if the FTC continues this sort of thing, companies will realize that the expected value of personal data (including costs to store and secure it) is negative. Or as Bruce Schneier wrote in 2016, “Data Is a Toxic Asset“./data_is_a_toxic.html
Re: Re:
Let’s try that link again: Data Is a Toxic Asset
It’s been quite a while since the big Techdirt upgrade, and despite all the talk of fixing bugs later, we still don’t have a working preview button…
Re: Re: Re:
In fairness, it should be noted that ``flag”, ``insightful”, and
\`funny” are also still broken, at least without javascript. I am not sure I would call the change in Techdirt platform an ``upgrade” when it broke essentials like ``preview” and offers so little visible benefit.Re:
The funny thing is that T-Mobile is also active in Europe.
FTC tagging the CEO
That is a class move. He’s the problem, have the directive (?) go with him. He will assuredly taint the next corp he spins up or jumps to.
Re:
My sadness that its not an actual ear tag…
Re: Re:
Maybe have Rolex or the equivalent provide tracking bracelets and they would willing wear them.