Blog November 17, 2025 20 Minutes

Avoiding an FTC Request Order, Part 2: Lessons from Drizly’s Security Negligence & The Ultimate Warning of Personal Liability

Avoiding an FTC Request Order, Part 2

In our previous blog, “Avoiding an FTC Request Order, Part 1: Lessons from GoDaddy’s 2025 Security Mistakes,” we examined how GoDaddy’s failure to uphold basic security measures led to a Federal Trade Commission (“FTC”) enforcement action and 20 years of required compliance oversight. The company misrepresented its “robust” security capabilities, putting sensitive data at risk and misleading consumers about its adherence with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. The FTC ultimately found all these claims to be inaccurate and deceptive.

GoDaddy’s fallout highlights the importance of ensuring your security practices remain ethical, transparent, and resilient to avoid receiving an FTC request order and the longevity that follows. But GoDaddy isn’t the only company learning this lesson the hard way. Another cautionary example comes from Drizly, an alcohol delivery platform, and its CEO James Cory Rellas, whose case underscores the ultimate risk of personal liability and the consequences that may occur when you choose to ignore or delay taking proactive measures, and fail to prioritize security, especially as the head of the company.

In this blog we’ll explore the enforcement order against Drizly and Rellas, identifying the factors that contributed to their major downfall of eventually getting shut down, and the steps your organization must take to avoid ending up in the same position or as the next hit on the FTC’s list.

Case Study Overview: Drizly & CEO James Cory Rellas’ FTC Enforcement Order

In 2020, Drizly, a subsidiary of Uber operating as an online marketplace for alcohol delivery, suffered a major data breach that exposed the personal information of 2.5 million customers. The FTC claimed Drizly failed to implement appropriate security practices, allowing a malicious actor to access an employee’s unprotected GitHub account and steal their consumer data stored on Amazon Web Services (AWS).

The compromised data included “names, email addresses, postal addresses, phone numbers, partial payment information, order histories,” and sensitive background details of marital status, gender, ethnicity, etc. (page 2). The FTC found this breach to be the outcome of poor leadership and repeated negligence in failing to address known weaknesses within their security infrastructure.

Despite multiple warnings, Rellas deliberately failed to oversee the company’s security protection practices and averted taking ownership, making him personally liable in the eyes of the FTC. Rellas’ leadership or lack thereof, sets the tone on what not to do as a company leader, as Drizly’s environment was considered inadequate and unsecure.

4 Critical Failures Behind Drizly & Rellas’ Fallout

Below are four critical factors that led to Drizly and Rellas’ security failures, along with actionable lessons your organization can apply to avoid a similar FTC fate.

Factor 1 – Lack of Executive Oversight & Personal Accountability

As regulations evolve and tighten, it’s crucial to regulate and address any recurring security or privacy issues immediately before they escalate. The FTC accused Rellas of taking “shortcuts” on security and described him as “careless” with both the company’s reputation and its compliance obligations.

FTC Statement: “Rellas is responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices (…)”, and “failed to hire a senior executive responsible for the security of consumers’ personal information” (pages 1-2).

The CEO disregarded appointing a designated senior executive leader to be responsible for monitoring and managing unauthorized access or threats lurking within systems. This gap in oversight left Drizly exposed and unprepared for years.

Enforcement Action: The FTC imposed a personal enforcement order against Rellas, requiring him to implement and maintain an information security program at any future company he leads, even if it’s unrelated to Drizly. This order remains in effect for 10 years,

“Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals (…). This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.”

What to Do Differently: This detrimental situation for Rellas sends a strong message to companies and their executives on how anyone can be held liable for failing to protect consumer data. Leaders must delegate with caution not carelessness and ensure their organization is in good standing. Consequences can now go beyond paying penalties and instead be direct, personal, and damaging to an individual’s reputation.

Assign and designate clear executive roles to guarantee proper visibility, control, and leadership involvement over all data protection and security functions.
Ensure your organization is taking accountability for all major security decisions and internal operations.
Establish a regular cadence for active monitoring and risk management.

Factor 2 – Failure to Minimize Data Collection & Enforce Proper Retention Periods

Drizly was guilty of obtaining and storing excessive amounts of data. Retaining excessive consumer data both current and outdated only increases risk in the event of a breach.

FTC Statement: The FTC mandates deletion and data minimization of all unnecessary information collected that is not being used or retained to provide “products or services to consumers,” and must also “document and report to the Commission what data it destroyed.”

Since Drizly had limited security protection to begin with, they were at a much higher disadvantage of losing control and needed to limit their data collection and begin deploying responsible retention practices for the betterment of their consumers.

Enforcement Action: Within 60 days of issuing this order Drizly is expected to publicize to consumers the intention behind retrieving information, the specific business needs it’s being used for, and the timeframe for deletion of data (page 3). And Drizly must maintain ongoing documentation of their practices for FTC review, as failing to do so could lead to additional penalties.

What to Do Differently: This enforcement order reinforces organizations to collect only what is relevant or necessary. It is no longer acceptable to over collect, as this is taking advantage of consumer trust and their data. Had Drizly practiced this notion earlier, the level of consumer harm could have significantly reduced.

Establish and define a data retention policy, once the data has fulfilled its purpose, it should be securely disposed of to make room for newer, relevant information. This helps mitigate the risk of data breaches, prevents unauthorized access, and strengthens overall data security.
Be transparent with consumers, communicating why data is being collected, how it will be used, and when it will be deleted.
Document your organization’s process, record all your data deletion and retention actions to demonstrate accountability and compliance, especially if the FTC ever seeks out certain information.

Factor 3 – Ignoring or Delaying Remediation for Known Security Vulnerabilities

One of the most striking aspects from the FTC’s report is that Drizly and Rellas were alerted to similar security incidents back in 2018, two years prior to the breach of 2020.

FTC Statement: “Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers.” And “Drizly’s own post-breach analyses concluded the company’s lack of security preparedness, including failures to operate a formal security program or practice basic security hygiene (…)” (page 5).

Drizly and Rellas were aware of security problems that existed but chose not to take proactive measures to fix their security program into proper working order. This reflects a lack of personal accountability on both ends and proves how unconcerned they are to leave consumer data in jeopardy when it was preventable.

Enforcement Action: The FTC required Drizly to establish a comprehensive information security program that involves:

“providing security training for its employees;
designating a high-level employee to oversee the information security program;
implementing controls on who can access personal data;
and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.”

What to Do Differently: Drizly’s biggest mistake is deciding to be reactive instead of proactive. The company knew about its security failures years earlier yet waited until after a breach to do something. This is not sustainable, and organizations need to be more attentive to vulnerabilities before further damage and cost arise.

Treat all security warnings as urgent not optional.
Enforce mandatory MFA policies and regular security training for employees to help ensure security is upheld.
Track and document remediations, ensuring all identified weaknesses are closed and secure to prove accountability as well as ensuring limited access to certain sensitive systems is applied.

Factor 4 – Misleading Claims about “Robust” Security Practices

Like GoDaddy, Drizly falsely mispresented having effective security protection, despite numerous internal flaws. This violates Section 5 (a) of the FTC act as “acts and practices of Respondents, as alleged in this Complaint, constitute unfair and/or deceptive acts or practices” (page 6).

FTC Statement: Here are two examples of deceitful statements given to consumers by Drizly:

Although Drizly marketed themselves as a company with integrity and accountability, committing
to having “reasonable security practices” in place, the company’s internal practices demonstrated to be contradictive of this statement, as very little action was done to secure its database.

Enforcement Action:

“A copy of each unique advertisement or other marketing material of Corporate Respondent containing a representation subject to this Order” (page 15), and

“this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance” (page 16)

What to Do Differently: Based on the many promises and countless mistakes made by Drizly, the FTC served a 20-year enforcement order against the company as the final ruling to the conclusion of this case. This action not only insists Drizly maintain all the requirements the FTC has listed but they must also continue to keep record of their improvements for the FTC to retain.

Based on this, it becomes clear that it’s better to be honest with consumers. Avoid misleading claims, labelling your company as “secure” unless your security practices can support this statement. Overexaggerating will highly lead to an extensive amount of oversight which can be overwhelming, and a severe decrease in consumer trust and confidence as customers rely heavily on your commitment to protect their data.

Conclusion: Drizly & Rellas’ Shut-Down Outcome

Overall, the Drizly case is a key reminder that consumer protection is a legal duty, not an optional best practice. Both Drizly and Rellas learned the hard way of not making better, prioritized decisions sooner. Although the FTC provided an opportunity for Drizly to comply with requirements, unfortunately, they ultimately shut down under Uber’s ownership, largely due to the strain of the aggressive FTC order.

The lessons here are very apparent, and we can conclude that receiving an FTC order is not something to gloss over. The consequences can be destructive and long-term, which can make or break your organization’s reputation and the future of your business. Remember to ensure executive oversight and personal accountability, minimize data collection and enforce proper retention periods, immediately remediate any known security vulnerabilities, and never mislead claims about “robust” security practices if your organization cannot genuinely prove this.

Unsure whether your security practices meet FTC expectations? Connect with our Myna experts today
for an in-depth assessment of your data protection, privacy, and compliance posture. Ensure your organization stays ahead of regulatory challenges before they become enforcement actions!

Contact Us

Name(Required)

First Last

Email(Required)

Phone

Company Name(Required)

Job title

How can we help you?

Message(Required)

Please let us know what's on your mind. Have a question for us? Ask away.

Consent

Myna Partners is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. By clicking submit below, you consent to allow Myna Partners to store and process the personal information submitted above to provide you the content requested. You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit below, you consent to allow levelupconsult.com to store and process the personal information submitted above to provide you the content requested.

I agree to receive other communications from Myna Partners.

CAPTCHA