Skip to content

Implementation Checklist (0–30 / 30–60 / 60–90 days) — FTC v. Drizly

Execution plan for consent order compliance. Adjust dates to your organization’s order acceptance date.

0–30 days

  • Designate program coordinator and document reporting line
  • Publish or adopt written information security program (draft or final)
  • Issue internal directive on MFA, no credentials in code, and data retention
  • Begin access review and MFA rollout for privileged/sensitive access
  • Deploy or confirm repository scanning for secrets; remediate any findings
  • Publish data retention schedule (internal or public per order)

30–60 days

  • Complete MFA enforcement for all accounts with access to source code or production credentials
  • Complete access review and offboarding of stale access
  • Implement or confirm deletion process for personal information per retention schedule
  • Finalize risk register entries for access control, monitoring, data retention, and program maturity
  • Schedule biennial independent assessment (assessor selection and scope)

60–90 days

  • Complete first cycle of retention schedule compliance (deletion/de-identification evidence)
  • Provide program documentation and evidence index to FTC upon request (if requested)
  • Board or committee briefing on program status and consent order progress
  • Kick off or complete biennial independent assessment (per order timeline)
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: