Security Transparency Report Section (FTC v. Drizly 2022)¶

Section for an annual or ad-hoc transparency report: incident summary, program improvements, and consent order compliance (high level).

Purpose¶

A short section suitable for a transparency or trust report: (1) summary of the July 2020 incident (unauthorized access and exfiltration; discovery via external reports); (2) regulatory outcome (FTC consent order, no monetary penalty); (3) program improvements (information security program, MFA, credential management, data retention schedule, biennial assessment). Keep high level; avoid legal conclusions. Demonstrates accountability and progress to customers and partners.

Hallucinated writing examples¶

Scenario. In March 2023, after initial implementation of the FTC consent order (time), the CISO (role) submits a security transparency report section (type) to the Board Audit Committee (audience) for review prior to publication as part of a trust report.

DRAFT TRANSPARENCY REPORT — SECURITY SECTION

To: Board Audit Committee
From: Chief Information Security Officer
Date: March 15, 2023
Subject: Trust Report Draft — Security Incident Summary and Program Improvements

Incident summary (July 2020). In July 2020, an attacker gained unauthorized access to certain Company systems and exfiltrated consumer personal information. The Company did not detect the incident internally and learned of it through external reporting that data was offered for sale online.

Regulatory outcome (October 2022). In October 2022, the FTC announced an administrative action and a consent order requiring the Company to implement a comprehensive information security program, adopt and publish a data retention schedule, obtain biennial independent assessments, and maintain reporting and recordkeeping for compliance.

Security program improvements. Since the incident and in connection with the Order, the Company has implemented program and control enhancements focused on (1) authentication and access governance, including multifactor authentication for sensitive access; (2) improved credential handling and repository scanning to prevent secrets exposure; (3) monitoring for anomalous access and exfiltration; and (4) data minimization and retention practices to reduce unnecessary personal information storage.

Primary sources¶

FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).