Blog

FTC Holding Corporate Officers Personally Liable for Bad Business Practices

In a push for corporate accountability, the Federal Trade Commission (FTC) has intensified its efforts to hold CEOs personally responsible for their companies' lapses in protecting consumers.

In recent cases involving Adobe, Cerebral, BlueSnap, and the now-defunct Drizly, the top executives, not just the companies, face scrutiny and consequences for bad business practices. While many of these actions are “cyber” related, cyber is not the sole focus of the FTC when it comes to protecting consumers against fraud.

These actions mark a departure from the traditional FTC enforcement approach, and the message is clear: Corporate leaders must bear responsibility for misconduct that puts consumers at risk.

Since When Am I Regulated by the FTC?

Great question, and also a reasonable one given that most companies don’t consider the FTC to be a primary regulator.

This may be a mistake if you are a consumer-facing company. The FTC has been increasingly aggressive in the past few years when it comes to enforcing consumer protection.

Specifically, according to the FTC’s website, the FTC’s mission is quite broad:

The FTC’s mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

The FTC’s scope of responsibilities includes anti-competitive practices/anti-trust practices. That, however, is outside the scope of this article.

This article will focus on how the FTC’s increasing zeal for its consumer protection mandate has led to a focus on executive accountability.

The DOJ Pursues Executives on Behalf of the FTC

Historically, the FTC has sought the remedies of restitution or disgorgement to enforce its consumer protection priorities.

However, in 2021, the Supreme Court’s decision in AMG Capital Management, LLC v. FTC significantly curbed the FTC’s ability to pursue these remedies.

The consequence? In the absence of a congressional fix, the FTC pivoted by referring cases to the Department of Justice so that the DOJ pursues monetary penalties on behalf of the FTC. I’ll provide more details about this in the following sections.

Mature businessman looking out of window

Trending FTC Enforcement Actions Against Corporate Executives

Let’s look at some recent FTC cases against executives.

Adobe

In June 2024, the FTC asked the DOJ to sue Adobe and two of its executives in federal court. The FTC asserted that Adobe and its executives hid early termination fees for a popular subscription plan and also made it difficult to cancel the subscription plan.

Notably, the FTC is not pursuing Adobe’s CEO. Instead, it is pursuing the senior vice president of digital go to market and sales, and the president of digital media business at Adobe (the latter reports to the CEO). This case has just been filed, so the outcome will not be known for some time.

Also interesting is the complaint’s reference to the fact that Adobe was on notice that customers were unhappy, including through social media.

Drizly

Drizly, the once-popular online alcohol delivery app and former Uber subsidiary, closed in 2024. This came after a turbulent history marked by a significant data breach in 2020 that compromised the personal information of 2.5 million consumers.

The seeds of this breach were sown in 2018 when Drizly granted a company executive access to its GitHub repositories for a hackathon but failed to revoke the access afterward.

This oversight enabled a bad actor in 2020 to gain access to Drizly’s GitHub repositories by reusing the executive’s credentials from an unrelated breach.

According to the FTC, despite security warnings, Drizly, under the leadership of then-CEO James Cory Rellas, failed to enact basic security measures.​​

The FTC charged Drizly and Rellas with neglecting to enforce basic security protocols, such as two-factor authentication for GitHub and limiting employee access to sensitive data. The company also lacked comprehensive written security policies and proper employee training, according to the agency.

In addition, Drizly publicly claimed to have appropriate security protections in place. This discrepancy between public statements and actual security practices was critical in the FTC's action against the company and its CEO​.

The FTC ordered Drizly to take specific measures to protect personal data and communicate its data policies to the public.

In a rare move, the FTC’s order also required Rellas to personally comply with its outlined security measures at any future company he works at that collects consumer information from more than 25,000 individuals and where he is a majority owner, CEO, or senior officer with information security responsibilities.”

The FTC’s position? “CEOs who take shortcuts on security should take note.”

Cerebral

Telehealth service Cerebral recently found itself under scrutiny from the FTC, accused of egregious breaches of consumer trust.

Despite touting its services as “safe, secure, and discreet,” Cerebral allegedly shared the sensitive data of nearly 3.2 million consumers with third-party platforms like LinkedIn, Snapchat, and TikTok.

This data, comprising names, medical histories, addresses, and more, was funneled through tracking tools embedded in the company's website and apps.

The FTC’s 2024 complaint also highlighted numerous security failures: sending promotional postcards revealing patient data, allowing former employees access to records, using insecure sign-on methods, and neglecting robust data security.

But this wasn’t the only problem. The FTC outlined other deceptive business practices, such as violating the Restore Online Shoppers’ Confidence Act by making it difficult for consumers to cancel services despite claims that cancellations could be made at any time.

In addition, the FTC stated Cerebral and then-CEO Kyle Robertson violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 by “engaging in unfair and deceptive practices with respect to substance use disorder treatment services.”

The FTC ordered fines and penalties for Cerebral in the millions and required the company to implement additional security measures.

As for the former CEO of Cerebral, at the time of writing, the FTC announced that Robertson had not agreed to a settlement and that the court would decide the charges against him.

Another Cerebral employee, its chief product officer, was also named for that executive’s involvement in misleading consumers about the confidentiality of their data.

BlueSnap

Global payment platform BlueSnap recently found itself in hot water when the FTC discovered it had processed millions in payments for fraudulent companies and participated in credit card laundering.

Despite internal reports and warnings from external sources indicating the companies that BlueSnap was processing payments for were fraudulent, BlueSnap failed to take appropriate action.

Shockingly, the company’s former CEO Ralph Dangelmaier and Senior VP Terry Monteith even allegedly advised one fraudulent company on how to evade fraud detection, according to the FTC’s 2024 report.

The defendants agreed to a settlement, and the FTC’s proposed order includes the following:

  • A $10 million payment from BlueSnap and its executives to the FTC to be used for consumer refunds
  • A ban on providing payment processing services to debt relief and high-risk clients
  • Implementation of strict fraud monitoring and prevention measures
  • Prohibition against assisting any client in evading fraud detection

Takeaways

The FTC enforcement actions against Adobe, Drizly, Cerebral, and BlueSnap underscore a broader trend towards stringent enforcement of corporate accountability and personal responsibility of directors and officers.

However, if the FTC is like all other government agencies, it is impossible to imagine that it will only accuse actual bad actors of malfeasance. Agencies conducting aggressive enforcement will inevitably bring action against some innocent parties as well.

Here are some steps executives can take to protect themselves:

  • Monitor Social Media, the Better Business Bureau, and Other Sources for Consumer Complaints. The FTC encourages consumers to report suspected fraud directly to them. However, many consumers will first vent their spleen on social media. Executives should take note if a pattern is developing that needs to be addressed sooner rather than later.
  • Document Your Response to Consumer Complaints. Not all consumer complaints are valid—but some are. You will want to be able to show a process for distinguishing the two, as well as documentation proving you addressed the valid complaints.
  • Review Your Indemnification Agreements. If you are a senior executive with a personal indemnification agreement, you may want to review it to confirm that you will have legal fees advanced should the Department of Justice sue you on behalf of the FTC. You should not, however, expect a company to pay your civil fines.
  • Review Your Directors & Officers Liability Insurance. D&O insurance coverage for public company officers being pursued by the DOJ on behalf of the FTC for consumer fraud may be available, both for prosecutions and investigations. Coverage for the corporate entity, however, is unlikely to be available. There will also typically be exclusions for any civil fines. D&O insurance coverage for private companies may, in some cases, be broader than what is available for public companies. 

The FTC's stance as highlighted in recent cases reminds us that safeguarding consumer trust is paramount, and shortcuts in security and ethical practices will not go unnoticed—or unpunished.

Share

Author

Table of Contents