Recent FTC Order Signals Increased Attention on Information Security Vulnerabilities and Need for Strong Data Minimization Practices

On October 24, 2022, the Federal Trade Commission (FTC) released an order taking action against the company Drizly, LLC, a subsidiary of Uber Technologies, Inc., for security failures leading to the exposure of 2.5 million consumers’ data.  According to the FTC’s complaint, Drizly did not properly implement reasonable information security practices to protect consumers’ personal information.  Moreover, Drizly was aware of security issues at least two years before the 2020 breach and failed to take adequate steps to address vulnerabilities.

Background

In July 2020, an intruder accessed an executive’s GitHub account, reviewed the source code to find vulnerabilities in its software, and gained access to Amazon Web Services (AWS) and database credentials.  Using these credentials, the malicious actor modified the AWS security settings to access the production environment with millions of user information records.  The databases in the production environment included names, email addresses, postal addresses, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, and consumer data sold by third parties.  In addition, the databases contained passwords that were hashed using the bcrypt function or MD5.  MD5 is widely considered insecure.  Drizly leveraged the GitHub software platform to store source code supporting the website and mobile apps, as well as to hold company data and projects.

The FTC concluded that Drizly failed to use reasonable information security practices notably, by 1) not developing adequate security standards, policies, and practices, assessing, or enforcing the procedures that were in place, or training employees on the practices; 2) not securely storing AWS and database login credentials, and; 3) not instituting reasonable data access controls.  Drizly’s privacy policy led consumers to believe its security practices were reasonable and appropriate to protect their personal information.  Additionally, Drizly had notice of the risks of exposing its AWS credentials as early as 2018 when an employee posted credentials to the GitHub repository, resulting in another actor using the AWS servers to mine for cryptocurrency.  Following the incident, Drizly did not take appropriate steps to enhance GitHub’s security and did not implement policies, procedures, and technical measures to train employees on proper security procedures when accessing Drizly’s GitHub repositories.

FTC Requirements Imposed on Drizly

Most notably, the FTC ordered that Drizly comply with the following requirements:

1. Destroy any personal information that is not used or retained in connection with providing products or services to customers.
2. Make publicly available a retention schedule for personal information, indicating the information’s purposes, business needs, and timeframe for deletion of the personal information.
3. Refrain from collecting any information not necessary for purposes provided in the required retention schedule.
4. Update its retention schedule before collecting any information that was not already collected prior to the issuance of the order.
5. Establish, implement, and maintain an information security program that follows industry standards and, among other things, installs technical measures necessary to prevent the storage of unsecured access keys and requires multi-factor authentication.
6. Obtain initial and biennial assessments from a qualified third party to review the information security program.
7. Refrain from misrepresenting the business’s data collection and use, protection of privacy and security of personal information, and the extent of any incident or other compromise of personal information.
8. Submit a report to the FTC within 10 days of a notification of the occurrence of a covered incident to a local, state, or federal entity.

The FTC also ordered that Drizly’s Chief Executive Officer (CEO), James Cory Rellas, comply with the following requirements for 10 years after the issuance of the order:

1. Design, implement, maintain, and document an information security program that follows the requirements of the order and best practices.
2. Institute the information security program at future companies where he may function as a senior officer with responsibility for information security, or where he is a majority owner, CEO, or senior officer with information security responsibilities.

Key Takeaways

The FTC’s recent order underscores the importance of developing an enterprise-wide approach to data security and privacy.  Data mapping is a fundamental starting point to understand what data your business has followed by conducting a risk assessment to understand the existing policies and procedures your business has in place to protect that data.  The recent FTC order serves as a further reminder that businesses should limit the collection and retention of personal information where feasible and retain only what is required by law, regulation, court order, etc.  This requires a deep dive into an organization's data retention and destruction policies and procedures to better align with keeping only that data which is necessary and legally required.

Additionally, a growing trend we continue to see is the criticality of responding promptly in the event of a data compromise, assessing what security measures and procedures may be inadequate, and addressing them as soon as practicable to prevent malicious actors from exploiting the same vulnerabilities in the future.  Furthermore, given the most recent verdict finding Joseph Sullivan, the former Chief Security Officer of Uber Technologies, guilty of obstruction of the Federal Trade Commission and misprision of a felony, this FTC order is part of a trend in holding executive officers personally accountable for their failures in implementing adequate security practices or following data breach reporting requirements.

Octillo recommends organizations across industries adopt a proactive approach to both data security and privacy initiatives from data mapping and regulatory assessments to a tabletop training that pressure test your incident response plan.  Preparation is the name of the game in understanding what and how your organization will respond in the event of a cyber incident. Furthermore, aligning your team with experienced breach counsel who are well-versed in this space outside of the context of an active cyber matter is critical for mitigating legal risk and minimizing downtime in the event of a cyber matter.  Our team can help your company mitigate risks while assessing the effectiveness of your cybersecurity program and creating a roadmap to tackle each new component, including planning for resource allocation in the form of time, money, technology, and personnel.

*Attorney advertising. Prior results do not guarantee a similar outcome