Federal Register, Volume 87 Issue 210 (Tuesday, November 1, 2022)

[Federal Register Volume 87, Number 210 (Tuesday, November 1, 2022)]
[Notices]
[Pages 65767-65771]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-23669]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 202 3185]

Drizly, LLC; Analysis of Proposed Consent Order To Aid Public
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis of Proposed Consent Order to Aid
Public Comment describes both the allegations in the draft complaint
and the terms of the consent order--embodied in the consent agreement--
that would settle these allegations.

DATES: Comments must be received on or before December 1, 2022.

ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``Drizly, LLC;
File No. 202 3185'' on your comment and file your comment online at
https://www.regulations.gov by following the instructions on the web-
based form. If you prefer to file your comment on paper, please mail
your comment to the following address: Federal Trade Commission, Office
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Jamie Hine (202-326-2188) or Elizabeth
Averill (202-326-2993), Bureau of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec. 2.34, 16 CFR
2.34, notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of 30 days. The following
Analysis to Aid Public Comment describes the terms of the consent
agreement and the allegations in the complaint. An electronic copy of
the full text of the consent agreement package can be obtained at
https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before December 1,
2022. Write ``Drizly, LLC; File No. 202 3185'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the https://www.regulations.gov website.
Because of heightened security screening, postal mail addressed to
the Commission will be subject to delay. We strongly encourage you to
submit your comments online through the https://www.regulations.gov
website.
If you prefer to file your comment on paper, write ``Drizly, LLC;
File No. 202 3185'' on your comment and on the envelope, and mail your
comment to the following address: Federal Trade Commission, Office of
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule Sec. 4.9(c). In
particular, the written request for confidential treatment that
accompanies the comment must include the factual and legal basis for
the request, and must identify the specific portions of the comment to
be withheld from the public record. See FTC Rule Sec. 4.9(c). Your
comment will be kept confidential only if the General Counsel grants
your request in accordance with the law and the public interest. Once
your comment has been posted on the https://www.regulations.gov
website--as legally required by FTC Rule Sec. 4.9(b)--we cannot redact
or remove your comment from that website, unless you submit a
confidentiality request that meets the requirements for such treatment
under FTC Rule Sec. 4.9(c), and the General Counsel grants that
request.
Visit the FTC website at http://www.ftc.gov to read this document
and the news release describing the proposed settlement. The FTC Act
and other laws the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
that it receives on or before December 1, 2022. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a Proposed Consent Order
(``Proposed Order'') from Drizly, LLC (``Drizly'' or ``Corporate
Respondent'') and James Cory Rellas (``Rellas'' or ``Individual
Respondent''), individually and as an officer of Drizly (collectively,
``Respondents'').

[[Page 65768]]

The Proposed Order has been placed on the public record for 30 days
for receipt of comments from interested persons. Comments received
during this period will become part of the public record. After 30
days, the Commission will again review the agreement and the comments
received and will decide whether it should withdraw from the agreement
and take appropriate action or make final the agreement's Proposed
Order.
This matter involves Respondents' data security practices. Drizly
operates an e-commerce platform that enables local retailers to sell
alcohol online to consumers of legal drinking age and stored personal
information for more than 2.5 million consumers. Respondents engaged in
a number of unreasonable data security practices which caused or are
likely to cause substantial consumer injury. In addition, Corporate
Respondent made a number of misrepresentations to consumers in its
privacy policies about the measures it took to protect consumers'
personal information.
The Commission's proposed two-count complaint alleges that
Respondents have violated section 5(a) of the Federal Trade Commission
Act. First, the complaint alleges that Respondents have engaged in a
number of unreasonable security practices that led to a hacker's
unauthorized download of personal information about 2.5 million
consumers.
The complaint alleges that Respondents:
Failed to develop adequate written information security
standards, policies, procedures, or practices; assess or enforce
compliance with the written standards, policies, procedures, and
practices that it did have; and implement training for employees
(including engineers) regarding such standards, policies, procedures,
and practices;
Failed to securely store AWS and database login
credentials, by including them in GitHub repositories, and failed to
use readily available measures to scan these repositories for unsecured
credentials (such as usernames, passwords, API keys, secure access
tokens, and asymmetric private keys);
Failed to impose reasonable data access controls such as:
(1) unique and complex passwords or multifactor authentication to
access source code or databases; (2) enforcing role-based access
controls; (3) monitoring and terminating employee and contractor access
to source code once they no longer needed such access; (4) restricting
inbound connections to known IP addresses; and (5) requiring
appropriate authentications between Drizly applications and the
production environment;
Failed to prevent data loss by monitoring for unauthorized
attempts to transfer or exfiltrate consumers' personal information
outside the company's network boundaries; continually log and monitor
its systems and assets to identify data security events; and perform
regular assessments as to the effectiveness of protection measures;
Failed to test, audit, assess, or review its products' or
applications' security features; and failed to conduct regular risk
assessments, vulnerability scans, and penetration testing of its
networks and databases; and
Failed to have a policy, procedure, or practice for
inventorying and deleting consumers' personal information stored on its
network that was no longer necessary.
The complaint alleges that Respondents could have addressed each of
the failures described through well known, readily available, and
relatively low-cost measures. It also alleges Respondent's failures
caused or are likely to cause substantial injury to consumers that is
not outweighed by countervailing benefits to consumers or competition
and is not reasonably avoidable by consumers themselves. Such practice
constitutes an unfair act or practice under section 5 of the FTC Act.
Second, the complaint alleges Drizly made false statements on its
corporate website and in its mobile apps about its information security
practices. Specifically, Corporate Respondent misrepresented to
consumers that the information it collects from them is securely stored
and protected by commercially reasonable security practices. The
complaint alleges Corporate Respondent's actions constitute deceptive
acts or practices in violation of section 5(a) of the FTC Act.
The Proposed Order contains injunctive provisions addressing the
alleged unfair and deceptive conduct in connection with Respondent's
sale of dealer management system software and services. Part I of the
Proposed Order prohibits Corporate Respondent from misrepresenting the
privacy and security measures it uses to protect consumers' information
and privacy.
Part II of the Proposed Order requires Corporate Respondent to
delete within 60 days any ``Covered Information'' that is not being
used or retained in connection with providing products or services to
consumers, and to provide written statements to the Commission
describing the specific deletion of any such ``Covered Information.''
In addition, Corporate Respondent must refrain from collecting or
maintaining any future ``Covered Information,'' if the purpose is not
necessary for specific purposes described in a retention schedule.
Part III of the Proposed Order requires Drizly to create and
display on its website and apps a retention schedule for any ``Covered
Information'' it collects, maintains, uses, discloses, or provides
access. The schedule must provide a purpose for the information
collection, the business need for any retention, and a timeframe for
eventual deletion.
Part IV of the Proposed Order requires Corporate Respondent to
implement an Information Security Program, requiring among other
things:
Training in secure software development principles,
including secure engineering and defensive programming concepts;
Measures to prevent the storage of unsecured access keys
or other unsecured credentials;
Implementation of data access controls;
Risk assessment of source code and controls such as
software code review; and
Use of non-SMS based multi-factor authentication for
employees and offering multi-factor authentication as an option for
consumers.
Drizly must also obtain initial and biennial third-party
assessments of its Information Security Program implementation (Part
V), cooperate with the third-party assessor performing such assessments
(Part VI), have a senior corporate manager or corporate officer make
annual certifications regarding Corporate Respondent's compliance with
the Proposed Order's data security requirements (Part VIII), and report
to the Commission any event involving consumers' personal information
that constitutes a reportable event to any U.S. federal, state, or
local government authority (Part IX).
Part VII of the Proposed Order requires Individual Respondent James
Cory Rellas, for a period of ten years, for any business that he is a
majority owner, or is employed or functions as a CEO or other senior
officer with responsibility for information security, to ensure the
business has established and implements, and thereafter maintains, an
information security program.
Parts X-XIII of the Proposed Order are standard scofflaw provisions
requiring acknowledgment of the Order to be delivered for ten years to
corporate officers and employees engaged in the

[[Page 65769]]

conduct related to the order; a compliance report to be submitted
within one year of the order and after corporate changes; recordkeeping
requirements that last twenty years; and the submission, upon request,
of additional reports and records for compliance monitoring.
Part XIV of the Proposed Order provides that the order terminates
20 years after its issuance or 20 years after the latest complaint
filed in federal court alleging a violation of the order.
The purpose of this analysis is to aid public comment on the
Proposed Order. It is not intended to constitute an official
interpretation of the complaint or Proposed Order, or to modify in any
way the Proposed Order's terms.

By direction of the Commission, Commissioner Wilson dissenting
in part.
April J. Tabor,
Secretary.

Statement of Chair Lina M. Khan Joined by Commissioner Alvaro M. Bedoya

Today the Commission announced a settlement with the alcohol
delivery platform Drizly, LLC, and its CEO, James Cory Rellas, over the
company's alleged failure to implement reasonable security policies.
According to the complaint, this failure led to several data breaches
that exposed the personal information of 2.5 million consumers. Drizly,
a wholly owned subsidiary of Uber, collects and stores a vast amount of
user data, including names, physical addresses, geolocation, and
alcohol order history. It also stores information about consumers that
it purchases from third parties.
The Commission's complaint alleges that in 2018, Rellas and Drizly
were alerted to security weaknesses that put its stockpile of consumer
data at risk, yet they did not address the problem. According to the
complaint, the company neglected to implement basic best practices,
such as developing a written data security policy or hiring a qualified
employee responsible for data security. Then, in 2020, a hacker was
able to access a massive trove of customer data by using login
credentials reused by an executive across personal accounts. During
this period, Drizly also allegedly made multiple misrepresentations
about its data security practices in the privacy policy on its
corporate website.
The Commission's proposed order imposes several important
conditions to prevent similar failures in the future. It prohibits
Drizly from collecting or storing consumer data that is not necessary
for pre-specified business purposes. Drizly must also implement a
comprehensive security program that features the latest multifactor
authentication requirements outlined in recent orders and prevents
storage of unsecured credentials on its network or in any cloud-based
service. In addition, Drizly must create a public retention schedule
for such data, including timeframes for eventual deletion of stored
data.
Notably, the order applies personally to Rellas, who presided over
Drizly's lax data security practices as CEO. In the modern economy,
corporate executives sometimes bounce from company to company,
notwithstanding blemishes on their track record.\1\ Recognizing that
reality, the Commission's proposed order will follow Rellas even if he
leaves Drizly. Specifically, Rellas will be required to implement an
information security program at future companies if he moves to a
business collecting consumer information from more than 25,000
individuals, and where he is a majority owner, CEO, or senior officer
with information security responsibilities. Our colleague Commissioner
Wilson dissents from the portion of the settlement that personally
applies to Rellas. She argues that CEOs of large companies must be
allowed to decide for themselves whether or not to pay attention to
data security. Respectfully, we disagree. Overseeing a big company is
not an excuse to subordinate legal duties in favor of other priorities.
The FTC has a role to play in making sure a company's legal obligations
are weighed in the boardroom. Today's settlement sends a very clear
message: protecting Americans' data is not discretionary. It must be a
priority for any chief executive. If anything, it only grows more
important as a firm grows.
---------------------------------------------------------------------------

\1\ See, e.g., Rani Molla, Why Does the WeWork Guy Get to Fail
Up?, Recode (Aug 17, 2022), https://www.vox.com/recode/2022/8/17/23309756/wework-adam-neumann-flow-andreessen-venture-capital.
---------------------------------------------------------------------------

Today's action will not only correct Drizly's lax data security
practices but should also put other market participants on notice.
Limiting the baseline collection and retention of data, as we do here,
is a critical tool for protecting Americans from the risks of data
breaches, and we will continue to explore remedies centered on limiting
the data that is collected or retained in the first place.\2\ Finally,
holding individual executives accountable, as we also do here, can
further ensure firms and the officers that run them are better
incentivized to meet their legal obligations.\3\
---------------------------------------------------------------------------

\2\ See Press Release, Fed. Trade Comm'n, FTC Takes Action
Against CafePress for Data Breach Cover Up (Mar. 15, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover; Press Release, Fed.
Trade Comm'n, Press Release, Fed. Trade Comm'n, FTC Takes Action
Against Company Formerly Known as Weight Watchers for Illegally
Collecting Kids' Sensitive Health Data (Mar. 4, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive; see also Statement of Chair Lina M. Khan
Regarding the Report to Congress on Privacy and Security (Oct. 1,
2021), https://www.ftc.gov/system/files/documents/public_statements/1597024/statement_of_chair_lina_m_khan_regarding_the_report_to_congress_on_privacy_and_security_-_final.pdf; Remarks of Chair Lina M. Khan As
Prepared for Delivery, IAPP Global Privacy Summit 2022 (Apr. 11,
2022), https://www.ftc.gov/system/files/ftc_gov/pdf/Remarks%20of%20Chair%20Lina%20M.%20Khan%20at%20IAPP%20Global%20Privacy%20Summit%202022%20-%20Final%20Version.pdf; see generally Trade
Regulation Rule on Commercial Surveillance and Data Security, 87 FR
51273 (Aug. 22, 2022).
\3\ See Press Release, Fed. Trade Comm'n, FTC Bans SpyFone and
CEO from Surveillance Business and Orders Company to Delete All
Secretly Stolen Data (Sept. 1, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data.
---------------------------------------------------------------------------

Statement of Commissioner Rebecca Kelly Slaughter

The kinds of lax and unreasonable data security practices the
Commission has alleged in this settlement with Drizly \1\ have caused
immense and often incalculable harm to consumers. As the complaint
recounts, Drizly's carelessness with customer information led to an
intruder gaining access to its systems and downloading the personal
information of 2.5 million people.
---------------------------------------------------------------------------

\1\ Drizly is now a wholly owned subsidiary of Uber which
reached a settlement with the FTC over its allegedly lax data
security practices in 2018. I worry greatly about this matryoshka
doll of companies with a spotty track record of protecting consumer
data.
---------------------------------------------------------------------------

This order is commendable and marks a meaningful step forward in
our data security enforcement. Naming Drizly's CEO, James Corey Rellas,
who oversaw these practices, helps ensure that corporate leadership
must take seriously their obligation to safeguard customer information.
Mechanisms like the proposed data retention schedule are also an
excellent approach to provide accountability for data use and misuse.
Ensuring that Drizly only collects information necessary to effectuate
its published business needs should exert a disciplining influence on
its collection of consumer information. The retention schedule also
provides a clear hook for future FTC enforcement actions should Drizly
not follow its strict requirements under this proposed order.
Going forward, I believe the law would support us doing more to
safeguard Americans' data, including requiring substantive limits on

[[Page 65770]]

appropriate collection and use. While the disclosure requirements in
this order have value, disclosure alone is not enough. We know that
endless terms-of-service and other disclosures have not improved
customer understanding, facilitated meaningful choice, or protected
data from security breaches. But hackers cannot steal data that
companies did not collect in the first place; requirements that limit
what data can be collected, used, and retained could meaningfully foil
and deter data security breaches.
There are many ways to approach data collection guardrails. As the
FTC further develops a minimization framework, one framework I hope we
consider is centering a consumer's reasonable expectation that there
should be limits on the collection and use of their information based
on the service they've actually requested. I believe the agency is in a
better position to effectuate this expectation than it is to
anticipate, understand, and police every claim of reasonable business
necessity. A consumer centered data minimization standard could work
hand-in-hand with the kinds of disclosures and effective data security
practices in this proposed order to protect Americans from the ongoing
epidemic of data breaches, which are greatly exacerbated by
overcollection of consumer information.
I am grateful to the staff for their hard work on this strong
order. I look forward to seeing how our work continues to evolve in the
pursuit of protecting Americans' data and ensuring our confidence in
the practices of the businesses with which we all transact.

Concurring and Dissenting Statement of Commissioner Christine S. Wilson

Today the Commission announces a complaint and settlement resolving
allegations that Drizly, LLC and its CEO, James Cory Rellas, violated
Section 5 of the FTC Act. The complaint asserts that Drizly made false
statements on its website and in its mobile apps about its information
security practices. The Commission also alleges that Drizly engaged in
several unreasonable data security practices that led to multiple
security breaches, including a hacker's unauthorized download of
personal information about 2.5 million consumers.
The FTC has long provided clear guidance to the business community
about the fundamentals of sound data security.\1\ But, as the complaint
details, Drizly failed to develop any written information security
standards, policies, or procedures; failed to require unique and
complex passwords or multifactor authentication to access source code
or databases; failed to terminate employee or contractor access to data
once they no longer needed such access; failed to monitor for
unauthorized attempts to transfer or exfiltrate consumers' personal
information outside company networks; and engaged in other security
shortcomings. Notably, simple, readily available, low-cost measures
could have addressed Drizly's security shortcomings. I support the
complaint against the company and the order provisions that require
Drizly to implement numerous data security practices to address the
company's missing security safeguards.\2\ In particular, my Democratic
colleagues and I agree that data minimization plays an important role
in a healthy data security program. As Commissioner Slaughter notes in
her concurring statement, ``hackers cannot steal data that companies
did not collect in the first place.''
---------------------------------------------------------------------------

\1\ Fed. Trade Comm'n, Start with Security: A Guide for Business
(Jun. 2015), https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business; Press Release, Fed. Trade
Comm'n, Stick with Security: FTC to Provide Additional Insights on
Reasonable Data Security Practices (July 21, 2017), https://www.ftc.gov/news-events/press-releases/2017/07/sticksecurity-ftc-provide-additional-insights-reasonable-data.
\2\ While I support the settlement against Drizly, I continue to
question whether data security orders should remain in effect for 20
years. It is not realistic for the Commission to expect that
injunctive relief with respect to this dynamic and rapidly evolving
issue will remain relevant and beneficial to consumers for 20 years.
See Concurring Statement of Commissioner Christine S. Wilson, In the
Matter of InfoTrax Systems, L.C. and Mark Rawlins, File No. 1623130
(Nov. 19, 2020), https://www.ftc.gov/system/files/documents/public_statements/1553676/162_3130_infotrax_concurring_statement_cw_11-12-2019.pdf.
---------------------------------------------------------------------------

While I support the complaint against the corporate defendant, I do
not support holding the individual defendant, Rellas, liable. To seek
injunctive relief with respect to a CEO or other principal, the
Commission must show only that the individual ``participated directly
in the deceptive practices or had authority to control those
practices.'' \3\ Authority to control does not require the FTC to show
a ``specific link from [the individual] to the particular deceptive
[acts] and instead looks at whether [the individual] had authority to
control the corporate entity's practices.'' \4\ This broad standard
effectively could enable the Commission to hold individually liable the
CEOs of most companies against which we initiate enforcement action.
---------------------------------------------------------------------------

\3\ FTC v. Ross, 743 F.3d 886, 892-93 (4th Cir. 2014) (adopting
the test for individual liability used by other federal appellate
courts, including the First, Seventh, Ninth, Tenth, and Eleventh
Circuits). The Commission also can establish liability for monetary
relief by showing the defendant ``had actual knowledge of the
deceptive conduct, was recklessly indifferent to its deceptiveness,
or had an awareness of a high probability of deceptiveness and
intentionally avoided learning the truth.'' Id.
\4\ Id. at 893.
---------------------------------------------------------------------------

The Commission traditionally has exercised its prosecutorial
discretion and assessed a variety of factors when deciding whether to
name a CEO or principal, including consideration of whether individual
liability is necessary to obtain effective relief, and the level of the
individual's knowledge and participation in the alleged illegal
conduct.\5\
---------------------------------------------------------------------------

\5\ Many FTC cases involve fraudulent or deceptive conduct by
small, closely held companies that essentially serve as the alter
egos of their principal or CEO. I support naming the CEO in such a
case because the individual defendant is necessary to obtain
effective relief and/or to prevent the fraudster from opening and
shuttering companies to stay one step ahead of law enforcement. See
Concurring Statement of Commissioner Christine S. Wilson Regarding
FTC v. Progressive Leasing, LLC, File No. 1823127 (April 20, 2020),
https://www.ftc.gov/system/files/documents/public_statements/1571921/182_3127_prog_leasing_-_statement_of_commissioner_christine_s_wilson_0.pdf.
---------------------------------------------------------------------------

The order against Drizly requires the company to implement
extensive data security safeguards regardless of whether Rellas is at
the helm of the organization. Naming Rellas does not change the
injunctive obligations placed on the company to ensure that customers'
personal information is protected going forward. Moreover, the case
against Drizly makes clear that the FTC expects technology start-ups to
start with security and establish reasonable data security practices
that grow with the company.
As for knowledge and participation, the number of issues crossing a
CEO's desk on any given day is substantial. In most large companies, I
would expect CEOs to have little to no involvement with, and no direct
knowledge of, practices that are the subject of an FTC investigation.
Here, we do not allege that Rellas oversaw day-to-day operations of the
company's data security practices, had any data security expertise, or
was responsible for decisions about data security policies, procedures,
or programs.\6\ Instead, we allege that Rellas did not appropriately

[[Page 65771]]

prioritize hiring a senior executive responsible for privacy and data
security. Our complaint notes that he hired other members of the c-
suite but not a Chief Technology Officer or Chief Information Security
Officer. And for Rellas' failure to prioritize information security
over other business obligations, the order imposes on Rellas
significant compliance obligations even if he leaves Drizly.\7\
---------------------------------------------------------------------------

\6\ Cf Complaint, In re InfoTrax Systems, L.C., a limited
liability company, and Mark Rawlins, Docket No. C-4696 (Dec. 30,
2019) (alleging Rawlins spent eighteen years at a software company,
studied computer science in college, ``reviewed and approved
InfoTrax's information technology security policies, was involved in
discussions with clients about data security regularly, and was
involved in the company's long-term data security strategy.''),
https://www.ftc.gov/system/files/documents/cases/c-4696_162_3130_infotrax_complaint_clean.pdf.
\7\ The Order binds Rellas to implement an information security
program at any future company in which he is a majority owner, CEO,
or senior officer with information security responsibilities, where
that company collects personal information from at least 25,000
individuals. The Order does not address scenarios in which Boards of
Directors, other owners, or higher-ranking executives make it
impossible for Rellas to fulfill his obligations.
---------------------------------------------------------------------------

By naming Rellas, the Commission has not put the market on notice
that the FTC will use its resources to target lax data security
practices. Instead, it has signaled that the agency will substitute its
own judgement about corporate priorities and governance decisions for
those of companies.\8\ There is no doubt that robust data security is
important. Having a federal data security law would signal to
companies, executives, and boards of directors the importance of
implementing and maintaining data security programs that address
potential risks, taking into account the size of the business and the
nature of the data at issue. But CEOs have hundreds of issues and
numerous regulatory obligations to navigate. Companies, not federal
regulators, are better positioned to evaluate what risks require the
regular attention of a CEO. And when companies err in making those
assessments, the government will hold them accountable.
---------------------------------------------------------------------------

\8\ Then-Commissioner Phillips and I raised similar concerns in
our dissents to the FTC's regulatory reviews of the Safeguards Rule.
See Joint Statement of Commissioners Noah Joshua Phillips and
Christine S. Wilson, In the Matter of the Final Rule amending the
Gramm-Leach-Bliley Act's Safeguards Rule, File No. P145407 (Oct. 27,
2021), https://www.ftc.gov/system/files/documents/public_statements/1597994/joint_statement_of_commissioners_phillips_and_wilson_in_the_matter_of_regulatory_review_of_the_1.pdf; Dissenting Statement of
Commissioner Noah Joshua Phillips and Commissioner Christine S.
Wilson, Regulatory Review of Safeguards Rule, File No. P145407 (Mar.
5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf.
---------------------------------------------------------------------------

Accordingly, I dissent from the inclusion of the individual
defendant in the complaint and settlement in this matter.

[FR Doc. 2022-23669 Filed 10-31-22; 8:45 am]
BILLING CODE 6750-01-P