The Federal Trade Commission is attempting to make a tech CEO liable to particular security requirements in a new proposed settlement, even if he switches to a different company.
The organisation revealed on Monday that its four commissioners had unanimously decided to propose an order against alcohol delivery service Drizly and its CEO James Cory Rellas for allegedly failing to put in place adequate security measures, which ultimately led to a data 2020 breach that exposed the personal data of about 2.5 million customers.
The FTC asserts that despite being made aware of the security issues two years prior to the incident, Drizly and Rellas did not take adequate steps to protect the data of their users.
While the FTC frequently enters into settlements like this one, its choice to identify the CEO and make the terms apply to him even after he leaves Drizly is a prime example of the strategy that Democratic Chair Lina Khan prefers.
According to some progressive enforcers, naming tech leaders in lawsuits should send a stronger deterrence signal to other prospective offenders.
The proposed order would require Rellas to implement an information security programme at future companies where he is the CEO, a majority owner, or a senior officer with information security responsibilities, provided the company collects consumer information from more than 25,000 people.
The proposed order is subject to a 30-day public comment period before the commission votes on whether to make it final.
Wilson stated that by mentioning Rellas, “the market will not be warned that the FTC will use its resources to target improper data security practises.”
She added that given CEOs’ broad perspectives of their businesses, it’s best left to companies rather than regulators to decide what the chief executive should pay regular attention to. “Instead, it has signalled that the agency will substitute its own judgement about corporate priorities and governance decisions for those of companies,” she wrote.
Wilson’s claim was addressed by Khan and Democratic Commissioner Alvaro Bedoya, who wrote in a joint statement that “supervising a large corporation is not a reason to defer legal obligations in favour of other objectives. The FTC has a responsibility to ensure a company’s legal obligations are weighed in the boardroom.”