Skip to Main Content

Legal Alert

Home > Resources > Legal Alerts > FTC Action Against Drizly Offers Cybersecurity Caution

RELATED PRACTICE AREAS

FTC Action Against Drizly Offers Cybersecurity Caution

December 13, 2022

You may have heard the adage "never let a good disaster go to waste." This is especially fitting in the case of cybersecurity breaches, where every incident offers an opportunity to learn and fill in the gaps—particularly when it happens to someone else. Such events provide a free, front-row seat to how companies, from big to small, fail to maintain basic data security and privacy policies and procedures, and the fallout incurred from such failures.

Case in point: the enforcement action taken in late fall by the U.S. Federal Trade Commission (FTC) against online alcohol marketplace Drizly and the resulting settlement agreement. The FTC alleged Drizly knew about its data security shortcomings yet failed to protect personal data from a data breach that affected 2.5 million customers.

Apart from the parade of embarrassing and obvious cybersecurity gaps (see the items below), this case provides two additional lessons worth noting:

  • First, the settlement agreement is not just between Drizly and the FTC; it includes the Drizly CEO. Holding the CEO directly accountable shows how seriously the FTC, and likely other regulators, view cybersecurity breaches that affect consumers.
  • Second, the FTC's approach highlights the importance of data minimization, or a limitation on what companies collect, a best practice that has been in use for decades. With this surfacing in Drizly's case, it is reasonable to expect that the FTC and state attorneys general, especially in states that have enacted privacy legislation (California, Utah, Colorado, Virginia, and Rhode Island) will pay close attention to it in the near future.

A review of the FTC's requirements in the settlement agreement makes it clear that none are earth shattering and all are part of what make for a legally reasonable cybersecurity regime. If your organization is missing any of the below, we recommend taking remedial action without delay.

  • Hire a professional responsible for implementing the data security program.
  • Formalize your program policies and procedures by putting them in writing—and then implement them. Include robust employee training.
  • When storing passwords, use industry-standard protocols. Drizly used MD5, an insecure hash function that has been deprecated for almost a decade.
  • Require multifactor authentication whenever possible. If you choose not to, be prepared to back up your decision and create an appropriate workaround.
  • Conduct periodic vulnerability testing and monitor for exfiltration.

We Can Help
Maslon can help answer questions or address concerns about your company's data security practices and determine potential steps necessary to defend against breaches.

Related Attorney

Eran Kahana + Learn More Eran Kahana

Maslon LLP uses cookies on this website to enhance your digital experience.
Please see our Privacy Policy. By visiting our website without disabling or blocking cookies, you agree to our use of cookies.

DISCLAIMER

Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline

MEDIA INQUIRIES

We welcome the opportunity to assist you with your media inquiry. To ensure we do so properly and promptly, please feel free to contact our representative below directly by phone or via the email option provided. We look forward to hearing from you.

Emily Gurnon, Marketing Communications Manager | Office: 612.672.8251 | Mobile: 651.785.3616

EMAIL DISCLAIMER

This email is intended for use by members of the media only.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send an email containing a general inquiry subject to these terms.

If you are a member of the media, accept the terms of this notice, and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline