Penalties for data breaches surging

A data breach against Drizly LLC in 2020 exposed the personal data of around 2.5 million customers through a hacker accessing employee login information.  Now, the Federal Trade Commission (FTC) has levied a proposed decision and order against both the firm and its CEO, James Cory Rellas, exacting stern measures. 

Demonstrating the severity of consequence directed to breached entities, it stipulates a wide range of data security protocols for Drizly to put in place. These include some standard practices.  Drizly must revise how it handles personal information, documenting for the FTC and the public its data collection schedule: that means which data is collected and stored, its purpose, and when it will be destroyed, and strictly adhering to this outline.  It is also required to implement a rigorous data security program that involves employee training, assignment of an overseer, stringent data access privileges and multi-factor authentication.  Hopefully, strong data encryption efforts are also part of this equation, lest all other efforts be for naught once the next hacker gets their tendrils into the network.

These aren’t surprising or uncommon measures for an organization to take to protect their data security, whether voluntary or not.  As Mondaq points out, they emphasize the principle of “data minimization,” limiting collection of data as necessary in accordance with regulations like the General Data Protection Regulation (GDPR) and California Privacy Rights Act (CCPA). 

What does strike me in this case is the decision for Drizly’s next two decades, during which they are required to have their security policies assessed biennially by qualified third-party professionals for any weaknesses or noncompliance issues.  Naturally, they must share all such information with the FTC, as well as any reports about breach notifications within 10 days.  Such a long term ‘commitment’ is quite unusual, and goes to show how seriously regulatory bodies are taking data security these days – as do the additional measures taken against Drizly’s CEO, Rellas. 

These extend far beyond the typical penalties.  Wherever Rellas goes, whichever company he may join in an ownership or manager role for the next 10 years, he must follow similar procedures with the FTC.  Strong infosec policies, documenting, yearly data risk assessments: if he is in a senior or executive role, he must follow these orders.  He must also deliver a copy of them to other managers, directors, officers, or relevant employees, like an infosec scarlet letter.

Such singling out of an individual sends a message that responsibility for data security (and breaches) can have dire repercussions for anyone caught dropping the ball.  Comprehensive security strategies are critical in preventing such headaches, both on the perimeter and protecting the data itself.  For the latter, encryption software such as NetLib Security’s Encryptionizer provides transparent encryption for data at rest, adding a crucial layer of protection against both bad actors and the increasingly substantial repercussions that follow for a breached entity.