Security Public Statement (FTC v. Drizly 2022)¶

Draft for press or public breach/incident statement. Not an official Drizly statement; for reference and structure only.

Purpose¶

A template for a public statement after a data breach: what happened, what data was affected, what the company is doing (remediation, notification, credit monitoring if applicable), and what consumers can do. For the Drizly incident, the company would have issued (or did issue) a statement once the breach was known; the FTC complaint describes that Drizly learned of the breach from external reports. Use this structure when drafting similar statements: factual, concise, no legal conclusions; direct affected individuals to specific actions (e.g., monitor accounts, place fraud alert).

Hallucinated writing examples¶

Scenario. In July 2020, shortly after learning of external reports that consumer data was offered for sale online (time), the CISO (role) prepares a security public statement (type) for review by the Board Audit Committee (audience) prior to publication. The statement is factual, concise, and avoids overstating prior security controls.

DRAFT SECURITY PUBLIC STATEMENT

To: Board Audit Committee
From: Chief Information Security Officer
Date: July 15, 2020
Subject: Draft Public Statement — Security Incident and Consumer Guidance

The Company is investigating reports indicating unauthorized access to certain systems and potential acquisition of consumer information. We are working with forensic specialists to determine the scope of the incident and to secure our systems.

What happened. We recently became aware of reports that data associated with our service may be offered for sale online. We immediately initiated an investigation and took steps to secure affected systems.

What information may be involved. Based on current information, the data may include consumer account and contact information. Our investigation remains ongoing, and we will provide updates as appropriate.

What we are doing. We have engaged external cybersecurity specialists, are reviewing access controls and credential handling, and are implementing additional safeguards. We are also assessing notification obligations.

What consumers can do. We encourage consumers to remain vigilant by reviewing account activity, monitoring for suspicious communications, and using unique, strong passwords for online accounts. Consumers should be cautious of unsolicited communications requesting personal information.

Primary sources¶

FTC Complaint: In the Matter of Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).