close
close

FTC Holds Corporate Executives Personally Liable for Bad Business Practices | Woodruff Sawyer

Posted on by darion

“As part of its corporate responsibility drive, the Federal Trade Commission (FTC) has stepped up its efforts to hold CEOs personally liable for their companies’ failures to protect consumers.”

In recent cases involving Adobe, Cerebral, BlueSnap, and now-defunct Drizly, top executives, not just the company, are facing scrutiny and consequences for bad business practices. While much of this activity is “cyber-related,” cyber is not the FTC’s only focus when it comes to protecting consumers from fraud.

These actions mark a departure from the FTC’s traditional approach to enforcement, and the message is clear: corporate leaders must be held accountable for misconduct that puts consumers at risk.

Since when am I subject to FTC supervision?

Great question, and a reasonable one considering most companies don’t consider the FTC to be their primary regulator.

This can be a mistake if you are a consumer-facing company. The FTC has been increasingly aggressive in enforcing consumer protections over the past few years.

More precisely, according to FTC website, the FTC’s mission is quite broad:

The FTC’s mission is to protect the public from deceptive and unfair business practices and unfair methods of competition through enforcement, advocacy, research, and education.

The FTC’s scope of responsibility includes anticompetitive/antitrust practices. However, that is beyond the scope of this article.

In this article, we will focus on how the FTC’s growing zeal for consumer protection has led to a focus on executives. responsibility.

DOJ prosecutes executives on behalf of FTC

Traditionally, the FTC has sought to enforce its rights through restitution or the return of wrongfully obtained benefits in order to enforce its consumer protection priorities.

However, in 2021, the Supreme Court issued a decision on the matter AMG Capital Management, LLC v. FTC significantly limited the FTC’s ability to apply these remedies.

The consequence? In the absence of a resolution from Congress, the FTC reversed course, referring the cases to the Department of Justice so that the DOJ could pursue monetary penalties on behalf of the FTC. I’ll provide more details on this in the following sections.

Trends in FTC Enforcement Against Corporate Executives

Let’s look at the recent FTC cases against executives.

Adobe

In June 2024, the FTC asked the DOJ to sue Adobe and two of its executives in federal court. The FTC found that Adobe and its executives hid early termination fees for a popular subscription plan and also made it difficult to cancel the subscription plan.

Interestingly, the FTC is not pursuing Adobe’s CEO. Instead, it is pursuing Adobe’s senior vice president of digital go-to-market and sales and president of digital media (the latter reporting to the CEO). This case has just been filed, so its outcome won’t be known for some time.

It is also interesting complaint referring to the fact that Adobe was informed of customer dissatisfaction, including via social media.

Drizzle

Drizly, a once-popular online alcohol delivery app and former Uber subsidiary, is shutting down in 2024. This comes after a tumultuous history marked by a significant data breach in 2020 that compromised the personal information of 2.5 million consumers.

The origins of this security breach date back to 2018, when Drizly granted a company executive access to GitHub repositories for a hackathon but did not revoke that access.

This oversight allowed a hacker to gain access to Drizly’s GitHub repositories in 2020 by leveraging an executive’s credentials from an unrelated breach.

According to the FTC, despite security warnings, Drizly, under the leadership of then-CEO James Cory Rellas, failed to take basic security measures.

FTC Charges Drizly and Rellas for failing to enforce basic security protocols, such as two-factor authentication for GitHub and limiting employee access to sensitive data. The company also lacked comprehensive written security policies and adequate employee training, according to the agency.

In addition, Drizly publicly claimed to have adequate security measures. This discrepancy between public statements and actual security practices was key to the FTC’s action against the company and its CEO.

This FTC ordered Drizly will take special measures to protect your personal data and will make its data policy publicly available.

In a rare move, the FTC order also required Rellas to personally comply with his outlined security measures in every future company he will work for and which will collect “consumer information from more than 25,000 people where the majority owner, CEO or senior information security officer is the owner.”

This FTC Position“CEOs who cut corners on security should take note.”

Cerebral

Telemedicine service Cerebral recently came under scrutiny from the FTC, accusing it of blatantly violating consumer trust.

Although Cerebral advertises its services as “safe, secure, and discreet,” it allegedly shared the sensitive data of nearly 3.2 million consumers with third-party platforms like LinkedIn, Snapchat, and TikTok.

This data, including names, medical histories, addresses and more, was transmitted through tracking tools embedded in the company’s website and apps.

This 2024 FTC Complaint also cited numerous security breaches: sending promotional postcards revealing patient data, giving former employees access to records, using unsafe login methods and failing to maintain robust data security.

But that wasn’t the only problem. The FTC cited other deceptive business practices, such as violating the Restore Online Shoppers’ Confidence Act by making it difficult for consumers to cancel services, despite claims that cancellations could be made at any time.

Additionally, the FTC found that Cerebral and then-CEO Kyle Robertson violated the Opioid Addiction Treatment Fraud Prevention Act of 2018 by “employing unfair and deceptive practices with respect to substance use disorder treatment services.”

The FTC imposed millions of dollars in fines and penalties on Cerebral and required the company to implement additional security measures.

As for the former Cerebral CEO, at the time of this writing, the FTC announced that Robertson had not agreed to a settlement and that a court would rule on the charges against him.

Another Cerebral employee, a chief product officer, was named because of his role in misleading customers about the confidentiality of their data.

blue

Global payments platform BlueSnap recently found itself in hot water when the Federal Trade Commission found that it had processed millions of dollars in payments for fraudulent companies and was involved in credit card money laundering.

Despite internal reports AND Warnings from external sources indicating fraudulent activities by companies for which BlueSnap processed payments resulted in BlueSnap not taking appropriate action.

Shockingly, former CEO Ralph Dangelmaier and Senior Vice President Terry Monteith allegedly advised one fraudulent company on how to avoid detection, according to 2024 FTC report

The defendants have agreed to settle, and the FTC’s proposed order includes the following provisions:

  • $10 million payment from BlueSnap and its executives to the FTC to be used to refund consumers
  • Prohibition on Providing Payment Processing Services to Debt Relief and High-Risk Customers
  • Implementation of rigorous monitoring and fraud prevention measures
  • Prohibition on helping any customer avoid detection of fraud

Takeaways

The FTC enforcement actions against Adobe, Drizly, Cerebral, and BlueSnap underscore a general trend toward rigorous enforcement of corporate liability and personal liability of directors and officers.

However, if the FTC is like all other government agencies, it is hard to imagine that it will only prosecute actual bad actors for abuses. Agencies that conduct aggressive enforcement will inevitably take action against some innocent parties as well.

Here are some steps executives can take to protect themselves:

  • Monitor social media, the Better Business Bureau, and other sources of consumer complaints. The FTC encourages consumers to report suspected fraud directly to them. But many consumers will vent their anger on social media first. Executives should be on the lookout for a pattern that needs to be addressed sooner rather than later.
  • Document your response to consumer complaints. Not all consumer complaints are valid—but some are. You’ll want to show a process for distinguishing between the two, as well as documentation that you’ve addressed valid complaints.
  • Review your indemnity agreements. If you are a senior director with personal indemnity agreementyou may want to check this to confirm that you will receive an advance on your legal fees if the Justice Department sues you on behalf of the FTC. You should not, however, expect the company to pay your civil fines.
  • Review directors and officers liability insurance. D&O insurance for public company officers prosecuted by the DOJ on behalf of the FTC for consumer fraud may be available for both prosecutions and investigations. However, it is unlikely that coverage for a corporate entity will be available. There will also usually be exclusions for any civil fines. D&O insurance for private companies may, in some cases, be broader than that available for public companies.

The FTC’s position, highlighted in recent cases, reminds us that protecting consumer trust is a priority, and any attempts to bypass safety and ethical practices will not go unnoticed — or unpunished.