FTC finalizes data breach order with online alcohol marketplace
On January 10, the FTC announced it has finalized an order with a company that operates an online alcohol marketplace, along with its CEO, related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. As previously covered by InfoBytes, the FTC alleged the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. The FTC asserted, however, that the company failed to take appropriate measures to address its security problems even though it publicly claimed it had appropriate security protections in place. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud. The respondents neither admit nor deny the allegations.
The terms of the final decision and order prohibit the company from making any misrepresentations in connection with any offered product or service related to how it collects, uses, discloses, maintains, deletes, or permits or denies access to personal information. Additionally, the company is required to destroy any collected personal data that is not necessary for providing products or services to consumers, and must refrain from collecting or maintaining personal information unless it is necessary for specific purposes provided in a data retention schedule. The company must also implement and maintain a comprehensive information security program, establish security safeguards to protect against specified security incidents, obtain initial and biennial third-party information security assessments, and publicly detail on its website information on its data collection practices. The order also requires the CEO to implement an information security program at any relevant business for which he is a majority owner, CEO, or senior officer with information security responsibilities.