A $5.8 Million Wake-Up Call from the FTC
In 2023, the FTC finalized a settlement with Drizly and its CEO after a data breach exposed the personal information of roughly 2.5 million consumers. What made this case unusual wasn't just the fine — it was that the FTC named the CEO personally and imposed requirements that would follow him to future companies. That's the new enforcement reality.
If you run a business that collects consumer data — and you almost certainly do — FTC cybersecurity requirements for businesses are not optional guidelines. They're enforceable mandates backed by the full weight of Section 5 of the FTC Act. Ignore them, and you're gambling with your company's future.
This post breaks down exactly what the FTC expects, what enforcement looks like in practice, and the specific steps your organization needs to take right now.
What Are FTC Cybersecurity Requirements for Businesses?
The FTC doesn't publish a single checklist labeled "cybersecurity requirements." Instead, it enforces data security through a combination of its Section 5 authority (prohibiting unfair or deceptive practices), the Safeguards Rule under GLBA for financial institutions, the Health Breach Notification Rule, and the Children's Online Privacy Protection Act (COPPA).
Here's the core principle: if your business collects personal data from consumers and fails to implement reasonable security measures, the FTC can — and will — come after you. "Reasonable" is defined by decades of enforcement actions, consent orders, and the FTC's own published guidance.
The FTC's cybersecurity guidance for small businesses makes this explicit. You don't get a pass because you're small.
The Safeguards Rule: The Closest Thing to a Checklist
The updated Safeguards Rule, which took full effect in June 2023, is the most prescriptive set of FTC cybersecurity requirements for businesses in the financial sector. But its principles apply broadly to how the FTC evaluates any company's security posture. Key requirements include:
- Designating a qualified individual to oversee your information security program
- Conducting regular risk assessments
- Implementing access controls and multi-factor authentication
- Encrypting sensitive customer information in transit and at rest
- Developing an incident response plan
- Providing security awareness training to all employees
- Conducting continuous monitoring or annual penetration testing
- Overseeing service providers' security practices
Even if your business isn't technically a "financial institution" under GLBA, the FTC uses these same benchmarks when evaluating whether your security practices are "reasonable" under Section 5.
How the FTC Actually Enforces These Rules
The FTC doesn't just send warning letters. It brings enforcement actions that result in consent orders lasting 10 to 20 years, with ongoing reporting requirements and independent audits. Here's what that looks like in practice.
Real Enforcement: The Cases That Set the Standard
The FTC's case against CafePress in 2022 resulted in a $500,000 penalty after the company failed to secure customer data, covered up a breach, and stored Social Security numbers in plain text. The consent order required a complete overhaul of CafePress's security program.
The Chegg case in 2023 was another landmark. The education technology company suffered four separate breaches over several years. The FTC's complaint cited failures including employees sharing login credentials, lack of multi-factor authentication, and no monitoring of data access. The consent order required Chegg to implement a zero trust architecture and minimize data collection.
In the Drizly case I mentioned earlier, the FTC signaled a new era of personal accountability by naming the CEO individually. The message was unmistakable: executives who ignore security bear personal consequences.
What Triggers an FTC Investigation?
Three common triggers: a reported data breach, a consumer complaint, or a referral from another agency. But here's what I've seen catch businesses off guard — the FTC also monitors public reporting. If a journalist writes about your breach before you've reported it, you're already behind.
The 7 Specific Steps Your Business Needs to Take
Based on every FTC consent order and guidance document I've analyzed, here's the practical framework your organization should follow:
1. Appoint a Security Leader
You need someone accountable. The Safeguards Rule requires a "qualified individual" — this can be an employee or an outsourced CISO, but the responsibility must be clearly assigned and documented.
2. Conduct a Written Risk Assessment
Identify what data you collect, where it lives, who has access, and what threats exist. This isn't a one-time exercise. The FTC expects ongoing assessments as your business and the threat landscape evolve.
3. Implement Multi-Factor Authentication Everywhere
The FTC has cited the absence of multi-factor authentication in nearly every recent enforcement action. If your employees access customer data with just a password, you're already non-compliant in the FTC's eyes.
4. Train Every Employee — Not Just IT
The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, credential theft, or simple errors. The FTC explicitly expects regular security awareness training for all personnel.
This is where most businesses fall short. A once-a-year slide deck doesn't meet the standard. You need ongoing, role-specific training that covers real-world threats like phishing and pretexting. Our cybersecurity awareness training program is built specifically to meet these requirements with practical, engaging content your employees will actually retain.
5. Deploy Phishing Simulations
Training alone isn't enough if you can't measure its effectiveness. The FTC's emphasis on "reasonable" security means you need to demonstrate that your program works. Regular phishing simulations test your employees against realistic threat actor tactics and give you measurable data to present during an audit or investigation.
If you haven't started running phishing simulations yet, our phishing awareness training for organizations provides turnkey campaigns that map directly to the scenarios the FTC cares about most.
6. Encrypt and Minimize Data
Stop collecting data you don't need. Encrypt what you do collect. The Chegg consent order specifically required data minimization — a clear signal that the FTC views over-collection as a security failure in itself.
7. Build and Test an Incident Response Plan
Having a plan on paper isn't enough. The FTC expects you to test it. Tabletop exercises, breach simulations, and clearly defined roles for who does what when ransomware hits at 2 AM on a Saturday — that's what "reasonable" looks like.
Does the FTC Require Specific Cybersecurity Standards?
Not exactly. The FTC doesn't mandate a specific framework like NIST or ISO 27001. However, it heavily references the NIST Cybersecurity Framework in its guidance and consent orders. Aligning your program with NIST CSF gives you a strong defensible position if the FTC ever comes knocking.
The FTC also draws from CISA's cybersecurity guidance and regularly collaborates with the agency on threat advisories. Following both sets of guidance puts you well ahead of the enforcement curve.
Small Business? You're Not Exempt
I hear this constantly from small business owners: "The FTC only goes after big companies." That's dangerously wrong. The FTC has brought actions against companies with fewer than 50 employees. The SkyMed case in 2021, the SpyFone case in 2021 — these weren't Fortune 500 companies.
If you collect names, email addresses, payment information, or health data from consumers, you're in scope. Period. The size of your business doesn't determine whether you need to comply with FTC cybersecurity requirements for businesses — the data you handle does.
What Happens If You Get It Wrong
Let's be blunt about the consequences:
- Financial penalties ranging from hundreds of thousands to millions of dollars
- 20-year consent orders with mandatory biennial security audits by independent assessors — at your expense
- Personal liability for executives, as demonstrated in the Drizly case
- Mandatory reporting of any future security incidents directly to the FTC
- Reputational damage that no PR firm can fully repair
Compare that against the cost of implementing reasonable security measures, running employee training, and conducting regular risk assessments. The math isn't close.
Start With What the FTC Actually Looks At
Every FTC enforcement action follows a pattern. The agency looks for basic failures: unpatched systems, absent multi-factor authentication, untrained employees falling for social engineering attacks, excessive data retention, and no incident response plan. These aren't sophisticated zero-day exploits — they're preventable failures.
Your action plan is straightforward. Assign accountability. Assess your risks. Train your people. Test your defenses. Document everything. The FTC's bar for "reasonable" security isn't impossibly high — but it's a bar you have to actively clear.
The businesses that get burned are the ones that assumed compliance was someone else's problem. Don't be one of them.