Customer Security Explanation (FTC v. Drizly 2022)¶

Explain the incident and the company’s response to affected customers. Not an official Drizly notice; for reference and structure only.

Purpose¶

A template for customer notification after a data breach: what happened, what personal information was involved, what steps the company has taken (secure systems, notify regulators, cooperate with law enforcement), what the company is offering (e.g., credit monitoring, identity protection if applicable), and what customers should do (review accounts, consider fraud alerts, contact support). Align tone with FTC expectations: accurate, not deceptive; avoid overstating security measures that were not in place at the time of the breach.

Hallucinated writing examples¶

Scenario. In July 2020, shortly after the Company confirmed unauthorized access (time), the Security Director (role) drafts a customer security explanation (type) for the CISO (audience) to approve prior to distribution to affected consumers.

DRAFT CUSTOMER NOTICE — SECURITY INCIDENT

To: Chief Information Security Officer
From: Security Director
Date: July 20, 2020
Re: Draft Customer Communication — Security Incident and Recommended Actions

We are writing to provide notice of a security incident involving unauthorized access to certain Company systems and potential access to consumer information. The investigation remains ongoing; this draft is intended for factual communication and does not state legal conclusions.

What happened. We identified unauthorized access to certain systems and are investigating the scope and timing. We initiated containment and engaged external cybersecurity specialists.

What information may be involved. Depending on the account, information may include contact information and account details. We will provide supplemental details as the investigation confirms specific data elements.

What we are doing. We have secured affected systems, are strengthening authentication and credential handling, and are increasing monitoring for anomalous activity. We are also reviewing data retention and minimization practices to reduce future exposure.

What you can do. We recommend that you use unique, strong passwords for online accounts, remain vigilant for phishing or suspicious communications, and monitor your accounts for unauthorized activity. If you have questions, please contact our support team at [support contact].

Primary sources¶

FTC Complaint: In the Matter of Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).
FTC Decision and Order: Decision and Order, FTC Docket No. 2023185 (Oct. 24, 2022).