Recent Federal, State Actions Signal Increased Scrutiny for Executives on Cybersecurity Compliance

January 9, 2023 Advisory

Earlier this year, the Federal Trade Commission (FTC) took action against online alcohol marketplace Drizly and CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of 2.5 million consumers. The FTC’s order alleges that Drizly and Rellas were alerted to security problems two years prior to the breach, yet failed to take steps to protect consumers’ data from hackers.

The order significantly limits what information the company can collect and requires significant data minimization practices. Aside from those remarkable actions, the FTC’s order is unique because it not only applies directly to the company, but also its CEO individually. By tying the CEO to the order as an individual, the FTC will require him to abide by the order even if he were to move to a new company. This is good evidence that the FTC is further focusing on the requirement for board members to be personally involved in the cybersecurity posture of a company.

This increased focus on executive personnel in connection with data security concerns is not relegated only to the federal space. The New York Department of Financial Services’ (NYDFS) recent proposed amendments to its Cybersecurity Regulations also evidence an increased focus on board oversight of cybersecurity programs. On Nov. 9, 2022, the proposed second amendment to 23 NYCRR Part 500 (DFS Cybersecurity Regulation) was published in the New York State Register. The proposed amendments would require a covered entity to submit a written statement to the superintendent certifying that the covered entity has complied throughout the year with the requirements set forth in Part 500. This certification must be based upon data and documentation sufficient to accurately determine and demonstrate full compliance, and must be signed by the covered entity’s highest-ranking executive and its Chief Information Security Officer (CISO). If the entity does not have a CISO, the certification must be signed by the highest-ranking executive and by the senior officer responsible for the cybersecurity program of the covered entity. These certifications must be maintained by the covered entity for at least five years. The public comment period for these amendments ends on Jan. 9, 2023.

Based on both the action against Drizly and proposed changes to NYDFS’s Cybersecurity Regulations, executives and board members—including those who do not have a direct responsibility for cybersecurity—are under closer scrutiny and ought to pay attention to and stay abreast of their company’s cybersecurity programs. We expect this pattern to continue in other state and federal laws and regulations.

Our Data Innovation, Security and Privacy team is actively monitoring for developments in this space and has deep experience helping clients navigate complex regulatory issues related to cybersecurity. Contact your regular AT lawyers or one of the authors listed below for proactive guidance specific to your organization.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
1980 Festival Plaza Drive, Suite 750
One Summerlin
Las Vegas, NV 89135
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1250
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1050 Connecticut Avenue NW
Suite 500
Washington, DC 20036
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware