Regulatory Security Explanation (FTC v. Drizly 2022)¶

REGULATORY SECURITY EXPLANATION

Introduction. This submission describes the Company’s information security program and compliance with the Decision and Order accepted by the Federal Trade Commission on October 24, 2022. The scope includes designation of a program coordinator, risk assessment, safeguards (access control, credential management, secure development, monitoring, data minimization), training, testing, service provider oversight, and evidence supporting each element. All assertions are supportable by the attached evidence index.

Governance. [Designated executive] has been designated to coordinate the information security program. The program is documented in writing and approved by [board/executive]. Reporting on program effectiveness and consent order progress is provided to [board/audit committee] on a [cadence] basis.

Risk assessment and safeguards. Material risks to the security of personal information have been identified and documented. Safeguards implemented include: (1) Access control and credential management — Multifactor authentication for all accounts with access to source code or production credentials; no storage of credentials in source repositories; role-based access and timely offboarding. (2) Secure development — Repository scanning for secrets; change approval for high-risk systems. (3) Monitoring — Logging and monitoring for anomalous access and exfiltration; regular assessments. (4) Data minimization — Published data retention schedule; process to delete or de-identify personal information when no longer necessary. Evidence: program document, access reviews, retention schedule, assessment reports.

Consent order compliance. The Company is implementing the comprehensive information security program, data retention schedule, and biennial independent assessment required by the order. This response is submitted for staff review and is supported by the attached evidence index.