Additionally, the FTC ordered Drizly CEO James Cory Rellas to “implement an information-security program at future companies” that collect consumer information from more than 25,000 individuals, “and where he is a majority owner, CEO, or senior officer with information-security responsibilities.”
The finalized FTC order resolves a complaint the agency first filed in October 2022. In its complaint against Drizly and Rellas, the FTC alleged that the company and Rellas “were alerted to security vulnerabilities two years prior to the 2020 breach yet failed to take steps to protect consumers’ data from hackers despite publicly claiming to have appropriate security protections in place.” Additionally, the FTC said “Drizly failed to implement basic security measures, stored critical database information on an unsecured platform, and neglected to monitor security threats.”
The FTC’s order, among other things, requires Drizly to “destroy any personal data it collected that is not necessary for it to provide products or services to consumers and must refrain from collecting or storing personal information, unless it is necessary for specific purposes outlined in a retention schedule.”
The order also requires the company to take data privacy measures. Drizly must publicly disclose on its website the information it collects and why such data collection is necessary and must “implement a comprehensive information security program and establish security safeguards to protect against the types of security incidents outlined in the complaint.”
After receiving no substantive comments, the Commission voted 4-0 to finalize the complaint and order against Drizly. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.