[ferrocarraiges]

I am genuinely curious: why did the FTC take this enforcement action?

There is no fine, no prosecution, no consequences of any sort. Essentially, they're just asking the executive to "implement an information security program" at any companies they head.

This seems to send the message that there are absolutely no consequences for getting caught hiding an extremely negligent data breach. Was that the FTC's intent?

[kingkilr]

Since last year's AMG case in the Supreme Court, the FTC is not authorized to seek monetary relief in these cases.

The FTC can seek monetary relief if this order is violated.

[jnorthrop]

There is this condition

> Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information

I'm not aware of any other decree following the CEO to other companies.

[philip1209]

Interesting - as cybersecurity insurance becomes more popular, I'm curious how orders like this will affect that. Maybe there will be a new checkbox on insurance forms saying "I'm not personally sanctioned by the FTC for information security lapses"

[fragmede]

That's an interesting thing to hang around his neck. You'd hope all companies like that (25k+ customers) already have an information security program though. Maybe Relias can take it as a selling point and has a future as an infosec CEO?

[adrr]

FTC isn't the DOJ. They can't prosecute anything.

[akira2501]

They can file for injunctive relief and issue cease and desist orders. If those orders aren't followed, they can proceed with monetary relief as well.

The FTC can do whatever congress authorizes them to do. The supreme court decided that what congress laid out in law required the FTC to file the cease and desist first, and then if that order is violated, then they can peruse further action.