As a matter of both corporate and individual liability, recent enforcement makes it clear that management cannot rely on generic privacy policy language at the expense of meaningful operations supporting the statements it posts and publicizes.
As an example, the Federal Trade Commission (FTC) announced an enforcement action against the online alcohol marketplace Drizly in late October 2022. This FTC action comes after Drizly’s data breach in 2020 when internal data security failures affected the information of 2.5 million customers.
FTC enforcement in privacy is common, but their new focus on management’s role in privacy and information security is unprecedented. On January 10, the FTC finalized the Drizly consent order requiring the company to implement and maintain a data protection program, which is a common outcome of any privacy-related consent order. What has been less common to date, however, was the FTC’s requirement that Drizly’s Chief Executive Officer, James Cory Rellas, implement an information security program at any future…
