The FTC Just Fined Another Company Millions — Is Yours Next?

I was just reading in 2023 the FTC finalized sweeping updates to its Safeguards Rule, and since then, enforcement has only accelerated. Companies like Chegg, CafePress, and Drizly didn't just face fines — their executives were personally named in consent orders. If you think FTC cybersecurity requirements for businesses only apply to big tech or financial institutions, you're already behind.

The Federal Trade Commission has made it unmistakably clear: if you collect consumer data, you have a legal obligation to protect it. And "reasonable security" isn't a suggestion — it's the standard they'll measure you against in court.

This post breaks down exactly what the FTC expects, what triggers enforcement, and the practical steps your organization needs to take right now to stay compliant and avoid becoming the next cautionary headline.

What Are the FTC Cybersecurity Requirements for Businesses?

The FTC derives its authority from Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices." If you promise customers you'll protect their data — through a privacy policy, terms of service, or even marketing language — and then fail to do so, the FTC considers that deceptive. If your security practices are so weak that they cause substantial consumer harm, that's unfair.

Beyond Section 5, the Gramm-Leach-Bliley Act's Safeguards Rule applies to financial institutions broadly defined — including auto dealers, mortgage brokers, tax preparers, and any business significantly engaged in financial activities. The updated rule requires specific, non-negotiable controls.

The Safeguards Rule's Core Requirements

  • Designate a Qualified Individual to oversee your information security program. This can be an employee or a third-party service provider.
  • Conduct a written risk assessment that identifies internal and external threats to the security, confidentiality, and integrity of customer information.
  • Implement access controls to limit who can access customer data, based on business need.
  • Encrypt customer information both in transit and at rest.
  • Require multi-factor authentication for anyone accessing customer data on your systems.
  • Develop an incident response plan that you actually test and update.
  • Train your employees in security awareness — and keep that training current.
  • Monitor and test the effectiveness of your safeguards through continuous monitoring or annual penetration testing and semi-annual vulnerability assessments.

Even if your business falls outside the Safeguards Rule, the FTC's broader Section 5 enforcement still applies. The Commission has brought over 80 data security cases, and the pattern is consistent: businesses that fail to implement basic, reasonable security measures get hammered.

The $4.88M Lesson Most Small Businesses Learn Too Late

According to the IBM Cost of a Data Breach Report, the average cost of a data breach hit $4.88 million in 2024. For smaller organizations, the cost is lower in raw dollars but far more devastating as a percentage of revenue. Many don't survive.

The FTC's action against Drizly is a case study every business leader should read. After a 2020 data breach exposing 2.5 million consumers' personal information, the FTC didn't just go after the company — they named the CEO personally in the consent order. The order follows that CEO to any future company for the next decade. That's not a fine. That's a career-defining consequence.

What did Drizly do wrong? The basics. They stored critical data on an unsecured cloud platform, failed to implement multi-factor authentication, neglected security awareness training for employees, and didn't monitor their systems for unauthorized access. None of this was sophisticated — it was negligence.

What Triggers an FTC Enforcement Action?

I've seen organizations assume the FTC only cares about massive breaches. That's wrong. Here's what actually draws their attention:

  • A data breach followed by consumer complaints. The breach itself isn't illegal, but the failure to have reasonable safeguards is.
  • Deceptive privacy policies. If your website says "we use industry-leading security" and you haven't patched a known vulnerability in two years, that's deception.
  • Repeated failures. The FTC looks for patterns — companies that knew about risks and ignored them.
  • Credential theft at scale. When a threat actor exploits weak authentication and you had no MFA, no monitoring, and no training, the FTC sees a systemic failure.

The Commission's complaint against CafePress specifically cited the company's failure to investigate security incidents, use of outdated encryption (SHA-1 for password hashing), and storing Social Security numbers in plain text. These aren't edge cases. They're checkboxes your organization should have covered years ago.

How Do I Make My Business FTC Compliant?

This is the question I get most often, so let me lay it out clearly. FTC compliance isn't about buying a single product. It's about building a security program that demonstrates reasonable, ongoing effort. Here's what that looks like in practice:

1. Write It Down

You need a written information security program. The FTC expects documentation — risk assessments, policies, incident response plans. If it's not written down, it doesn't exist in the eyes of a regulator.

2. Train Every Employee, Every Year

Social engineering remains the leading initial attack vector, according to the Verizon Data Breach Investigations Report. The FTC has specifically cited lack of employee training as a failure in multiple enforcement actions. Your team needs to recognize phishing emails, understand credential theft tactics, and know how to report suspicious activity.

If you're looking to build a structured training program, our cybersecurity awareness training course covers the exact topics regulators expect. For organizations that need hands-on phishing simulations, our phishing awareness training for organizations provides realistic exercises that test and reinforce employee behavior.

3. Implement Multi-Factor Authentication

This is non-negotiable under the updated Safeguards Rule and a baseline expectation in every FTC enforcement action I've reviewed. MFA stops the vast majority of credential-based attacks. If you're not using it everywhere — email, cloud platforms, VPN, administrative consoles — you're exposed both technically and legally.

4. Encrypt Everything

Customer data must be encrypted in transit and at rest. The FTC's action against CafePress specifically called out weak encryption. Use current standards: TLS 1.2+ for data in transit, AES-256 for data at rest, and bcrypt or Argon2 for password hashing.

5. Adopt a Zero Trust Mindset

The FTC hasn't mandated zero trust architecture by name, but every requirement they enforce aligns with its principles: verify explicitly, enforce least-privilege access, and assume breach. NIST's SP 800-207 Zero Trust Architecture is the framework to follow.

6. Test Your Defenses

Annual penetration testing and semi-annual vulnerability assessments are required under the Safeguards Rule. Even if you're outside its scope, regular testing demonstrates the "reasonable security" standard the FTC demands under Section 5.

7. Have a Real Incident Response Plan

Not a template you downloaded and forgot. A plan your team has rehearsed, with defined roles, communication protocols, and containment procedures. When a ransomware attack hits at 2 AM on a Saturday, you can't afford to improvise.

The FTC Is Getting More Aggressive, Not Less

In recent years, the FTC has moved from reactive enforcement to proactive rulemaking. The Health Breach Notification Rule has been expanded. The Safeguards Rule was overhauled with specific technical requirements. And the Commission has publicly stated it will continue to hold executives personally accountable.

The message is clear: FTC cybersecurity requirements for businesses aren't aspirational guidelines. They're enforceable mandates with real consequences — consent orders lasting 20 years, mandatory third-party assessments paid out of your pocket, and personal liability for leadership.

Your Compliance Checklist for 2026

  • Appoint a Qualified Individual responsible for your security program.
  • Complete and document a comprehensive risk assessment.
  • Deploy multi-factor authentication across all systems handling customer data.
  • Encrypt all customer information in transit and at rest.
  • Conduct annual penetration testing and semi-annual vulnerability assessments.
  • Implement continuous security awareness training for all employees.
  • Run regular phishing simulations to test employee response.
  • Maintain a written, tested incident response plan.
  • Review and restrict access controls quarterly.
  • Monitor vendor security and enforce contractual safeguards.

Every item on this list maps directly to either the Safeguards Rule or patterns from FTC enforcement actions. Skip any one of them, and you're creating the exact gap a threat actor — or an FTC investigator — will find.

Stop Treating Compliance as a Checkbox

Here's what I tell every organization I work with: compliance is a byproduct of good security, not the other way around. If you build a genuine security culture — where employees recognize social engineering, where access is tightly controlled, where leadership treats data protection as a business priority — you'll meet the FTC's requirements without scrambling.

Start with training. It's the single highest-ROI investment in your security program, and it's the one the FTC cites most often when it's missing. Get your team enrolled in a structured cybersecurity awareness program and pair it with phishing simulation exercises that turn knowledge into behavior.

The FTC isn't going to warn you before they investigate. By the time you hear from them, the breach has already happened, the consumers have already complained, and your legal team is already behind. The time to act on FTC cybersecurity requirements for businesses is before the incident — not after.