Rimon

The FTC is holding company executives personally accountable for data breaches as part of an aggressive effort to protect consumer data

Insights Amy Baker · November 9, 2022

The FTC is holding company executives personally accountable for data breaches as part of an aggressive effort to protect consumer data

In a policy shift, the Federal Trade Commission (FTC) is targeting company executives in what it has described as “part of [its] aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.”[1] FTC Chair Lina Khan believes that “Overseeing a big company is not an excuse to subordinate legal duties in favor of other priorities.”

This policy shift is highlighted in the FTC’s proposed settlement with alcohol delivery platform Drizly arising out of a 2020 data breach.[2] The FTC wants to make sure that the Drizly CEO is personally responsible for ensuring that his company has adequate data security going forward – and that personal responsibility will extend to any future company at which he serves as CEO, holds majority ownership or acts as a senior officer with information security responsibilities.

After experiencing a data breach, companies, and now their executives, can find themselves in trouble with the FTC under Section 5(a) of the Federal Trade Commission Act, which prohibits unfair and/or deceptive acts or practices affecting interstate commerce. Evidence that a company had inadequate data security or that it misrepresented, directly or indirectly, its security safeguards, is enough to land a company in hot water with the FTC. In this case, the FTC noted that Drizly’s own post-breach analysis concluded that its security failures were the cause of the data breach. This note alone should highlight the critical importance of ensuring that outside counsel is immediately retained in every data breach.

What you should do now:

  • Familiarize yourself with the data security laws applicable to your company, including the broad FTC Safeguards Rule[3] and the FTC Health Breach Notification Rule[4];
  • Ensure that your company has a legally sufficient compliance program in place for data security;
  • Ensure that your company has legally sufficient data security protections and systems; and
  • Update your company data breach emergency response plan, or create a plan if you don’t have one already.

[1] FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers | Federal Trade Commission (FTC Press Release)

[2] Decision and Order (ftc.gov)

[3] 16 CFR Part 314: Standards for Safeguarding Customer Information (Final Rule) | Federal Trade Commission (ftc.gov)

[4] Health Breach Notification Rule | Federal Trade Commission (ftc.gov)