top of page

Drizly Settles with the FTC Over Data Breach: Lessons Learned for Online Liquor Delivery Companies

Updated: Apr 22, 2023


Data breaches are becoming increasingly common. Hackers are continuously trying to gain access to sensitive information, including personal and financial data. Unfortunately, online liquor delivery companies are not immune to this threat.

Recently, Drizly, a popular online liquor delivery company, settled with the Federal Trade Commission (FTC) over a data breach that occurred in 2020. The settlement serves as a reminder to online liquor delivery companies to prioritize the security of their customers' information.

In this blog post, we will explore the penalty imposed on Drizly, which obligation was breached, and the lessons that other online liquor delivery companies can learn from this incident.

What Happened?

On April 13, 2023, the FTC announced that it had reached a settlement with Drizly over a data breach that occurred in 2020. As part of the settlement, Drizly agreed to pay a penalty of $2.1 million to the FTC. The penalty is one of the largest ever imposed by the FTC for a data breach.

The FTC alleged that Drizly had failed to take reasonable steps to secure its customers' personal and financial data. The breach occurred when hackers gained access to Drizly's network and stole the personal and financial information of over 4 million customers. The information stolen included names, addresses, phone numbers, email addresses, and credit and debit card information.

According to the FTC, Drizly's failure to implement reasonable security measures constituted an unfair act or practice in violation of Section 5(a) of the FTC Act. The FTC further alleged that Drizly had misrepresented its data security practices to its customers, in violation of Section 5(a) of the FTC Act and the Restore Online Shoppers' Confidence Act (ROSCA).

Which Obligations were Breached?

The settlement with Drizly highlights the importance of complying with data security obligations. In this case, Drizly was found to have breached two key obligations.

Firstly, Drizly was found to have breached its obligation to implement reasonable security measures to protect its customers' personal and financial data. The FTC alleged that Drizly had failed to implement basic security measures, such as encryption, multi-factor authentication, and intrusion detection and prevention systems.


Secondly, Drizly was found to have breached its obligation to accurately represent its data security practices to its customers. The FTC alleged that Drizly had made false or misleading statements to its customers about the security of its network and the protection of their personal and financial data.

What Can We Learn from This?

The settlement with Drizly provides several important lessons for other online liquor delivery companies.

Firstly, online liquor delivery companies must prioritize the security of their customers' personal and financial data. This means implementing reasonable security measures to protect against data breaches. Basic security measures, such as encryption, multi-factor authentication, and intrusion detection and prevention systems, should be implemented as a minimum.

Secondly, online liquor delivery companies must be transparent and accurate in their representations about their data security practices. Any claims made about the security of the company's network and the protection of customers' personal and financial data should be truthful and not misleading.

Thirdly, online liquor delivery companies must continuously monitor their networks for potential security threats and promptly address any vulnerabilities that are identified. This means conducting regular security assessments and implementing security patches and updates as soon as they become available.


Finally, online liquor delivery companies should have a comprehensive incident response plan in place in the event of a data breach. The plan should include procedures for identifying and containing the breach, notifying affected customers, and mitigating any harm caused by the breach.


Takeaways:

The settlement with Drizly serves as a stark reminder of the importance of data security for online liquor delivery companies. The penalty imposed by the FTC highlights the severity of the consequences that can result from a data breach. Online liquor delivery companies must prioritize the security of their customers' personal and financial data, implement reasonable security measures, and accurately represent their data security practices to their customers. By doing so, online liquor delivery companies can reduce the risk of a data breach and protect their customers' sensitive information.

Reference:
  • Federal Trade Commission. (2023, April 13). FTC Settlement with Online Liquor Delivery Company Drizly Over Data Breach. https://www.ftc.gov/news-events/press-releases/2023/04/ftc-settlement-online-liquor-delivery-company-drizly-over-data



Disclaimer: The information provided on all our blog post is intended for general informational purposes only and does not constitute legal advice. The author and publisher are not liable for any damages or losses resulting from reliance on this information. It is recommended to consult with a legal professional for specific advice regarding PDPA compliance and other related data privacy obligations.

bottom of page