In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data. Although the action arose out of a common security failure—the sort that has been the subject of numerous prior FTC consent decrees—the enforcement requirements extend beyond the standard implementation of an information security program. Indeed, the FTC’s order focuses on data minimization principles—a potential harbinger of how existing data security laws and new privacy laws may be converging. It therefore emphasizes the need for businesses to harmonize the roles and responsibilities of data privacy and security professionals, which are connected but frequently siloed.
In its Complaint, the FTC alleged that both Drizly and its CEO were aware of security issues exposed during a prior data security incident as early as 2018. It further alleged that Drizly’s failure to take adequate steps to address its known security vulnerabilities resulted in a second hack involving the theft of customer data. Specifically, the FTC alleged that Drizly and its CEO:
- Failed to implement basic security measures,including two-factor authentication, role based access provisioning, written security policies and procedures, and employee training;
- Stored critical database information on an unsecured platform, storing login credentials on GitHub contrary to the platform’s guidance and “well-publicized security incidents involving GitHub;” and
- Neglected to monitor network security threats, failing to put a senior executive in charge of data security and failing to monitor its network for unauthorized access attempts.
To address these deficiencies, the FTC’s proposed order requires Drizly and its CEO to:
- Destroy unnecessary data, including any personal data “that is not necessary for [Drizly] to provide products or services to consumers,” which must be both documented and reported to the FTC;
- Limit future data collection, by “refraining from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule,” information about which Drizly must publish on its website; and
- Implement an information security program, designed to address the issues identified in the complaint and which must include security training for employees, designation of a high-level employee to oversee the information security program; implementation of access controls, and implementation of MFA on systems containing consumer data.
The Drizly enforcement action’s data minimization requirements go above and beyond the traditional information security program requirements contained in prior FTC enforcement actions. Data minimization is critical to the security of consumer data—in the words of Commissioner Slaughter—because “hackers cannot steal data that companies did not collect in the first place.” Additionally, these requirements represent the next step in the FTC’s continued focus on what it refers to as “commercial surveillance,” and are likely to be a signpost for continued discussions around the FTC’s Advance Notice of Public Rulemaking.
The FTC’s increasing focus on data minimization is consistent with overall regulatory awareness of the dangers of over-collection and over retention, a focus reflected in new U.S. state privacy laws that likewise mandate data minimization standards. Businesses should consider reviewing data management practices and considering the implementation of data minimization principles.