After repeated data breaches that exposed consumer information, the CEO of Drizly is being held personally accountable for the latest incident. The delivery company Drizly has settled an investigation by the FTC (there is a public comment period before the settlement is final) in which the parties agree that the company's CEO must implement a detailed information security plan if he assumes a c-suite position at another company.
The unusual -- and aggressive -- tactic of holding the CEO to account comes after the company suffered multiple breaches, allegations that it failed to upgrade security appropriately after the initial breach, and charges that it misrepresented the state of its security measures.
Why It Matters
The CEO will not be fined as part of this settlement, but if it is ultimately accepted as final it would be a startling precedent: that the c-suite can face personal liability for failing to secure consumer data. The facts of this case are very unfavorable to the company and the CEO, since they appear to verge on fraud regarding security, but it is nonetheless an important signal that consumer data protection is taking on a much more important role in regulators' minds. That means it should also take on more importance to business owners and executives -- and that public disclosures about security should be accurate and truthful.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
