Alex Brandon/Associated Press
Sarah Cabral is a senior scholar for business ethics with the Markkula Center for Applied Ethics at Santa Clara University. Views are her own.
Note: October is Cybersecurity Awareness Month! See our "Introduction to Cybersecurity Ethics" and related case studies.
This article appears across the Ethics Center website to readers of All About Ethics, Benison: The Practice of Ethical Leadership, and Internet Ethics: Views From Silicon Valley.
Should CEOs be personally held accountable for their company’s data security breaches? According to the Federal Trade Commission (FTC) in their proposed order against Drizly and CEO James (Cory) Rellas, the answer is “yes.”
Drizly is a Boston-based company that was founded in 2012 when, upon finding their fridge empty, Boston College student Nick Rellas ‘12 texted his friend and recent graduate Justin Robinson ‘11 out of frustration, “Why can’t you get alcohol delivered?” They co-founded Drizly that same year with Nick’s cousin, Cory Rellas. Nick, Justin, and Cory were able to figure out a legal, safe, and profitable way to deliver alcohol through an app. Last year, Uber acquired Drizly for $1.1 billion.
It was not the illegal or harmful sale of alcohol that got the company and Cory Rellas embroiled in an ethical and regulatory controversy, but rather the failure to protect the personal information of its consumers. In 2018, a Drizly employee posted company login information to GitHub and hackers used this information to mine cryptocurrency. In 2020, hackers once again accessed company login information through GitHub via hacking a Drizly employee account and stole customer’s personal information. The proposed order against Drizly and Rellas is a response to the company’s failure to address security problems first identified in 2018.
While all four FTC commissioners voted to issue the order to Drizly, Commissioner Christine Wilson dissented to the inclusion of Cory Rellas, who is required to implement an information security program if he moves to another company that collects information on 25,000+ consumers. In her separate statement, Wilson noted that the FTC was not alleging that Rellas had direct knowledge of the practices that led to the FTC investigation, but rather that he should have prioritized hiring a senior executive to oversee data security. Wilson, however, disagrees that the FTC should “substitute its own judgment about corporate priorities and governance decisions for those of companies.” For this reason, she argues that Rellas should not be included.
At the Markkula Center for Applied Ethics, we use a framework rooted in the history of philosophy for moral decision making in order to make ethical sense of actions such as the FTC’s order against Drizly and Rellas. If we analyze this case through a utilitarian or consequentialist lens, it could be argued that Rellas ought to be included in the complaint because other CEOs will pay attention and tighten their security protocols, benefiting a great number of consumers who can avoid the harm of having their personal information stolen. Also, the penalty for Rellas seems relatively minor.
However, if we view this case from a rights or means-end perspective, one could object to Rellas’ inclusion in the FTC complaint, arguing that Rellas is being used merely as a means to send a message to other CEOs. Surely there have been other CEOs who have been at the helm during security breaches and not named by the FTC. However, Rellas is not the first to be individually named. The operator of ClixSense, James Vargo, and the CEO of i-Dressup, Zhijun Liu, have also faced penalties from the FTC. Since the complaint does not hold Rellas plainly responsible for the hack and because he had no intention of mishandling consumers’ personal information, it is at least morally unclear that Rellas ought to have been personally included in the FTC order. We can understand Commissioner Wilson’s dissent as her moral disagreement with the other commissioners’ violation of Rellas’ ability to make free and rational decisions for a company in the way that he sees fit. This kind of personal autonomy is prioritized by the rights approach.
A better strategy may be for Congress to allow the FTC to fine companies so heavily that they choose to prioritize data security in the first place.The FTC could well use these resources to increase its number of enforcement settlements per year. Drizly ignored warning signs and should face financial penalties, not just corrective security measures, for doing so.