FTC Imposes Personal Liability on CEO for Company’s Subpar Security, Privacy, and Records Management Programs

On January 10, 2023, the US Federal Trade Commission (FTC) finalized its enforcement action against Drizly and against its CEO in his personal capacity for failure to implement proper security, privacy, and records management measures. This is the first time the FTC has held a company official personally liable for privacy and security compliance, a practice the FTC promises to continue. This decision comes on the heels of the recent criminal jury verdict against Uber’s former chief security officer, harkening what may become a trend of holding corporate officers liable for security-related decisions and actions.

In its enforcement action, the FTC emphasized that, in addition to Drizly’s poor security practices, the company’s poor privacy and records management practices dramatically increased the negative impact of the security incidents on consumers—and therefore dramatically increased Drizly’s penalty.