The $5.7 Billion Wake-Up Call You Can't Ignore
In 2023, the FTC received over 5.39 million reports of fraud and identity theft, costing consumers billions. The agency didn't just collect reports — it started swinging hard at the businesses that failed to protect that data. By 2024, the FTC had finalized sweeping changes to the Health Breach Notification Rule and continued an aggressive enforcement posture that has only intensified into 2025.
If you run a business that collects customer data — and you almost certainly do — FTC cybersecurity requirements for businesses aren't optional guidelines. They're enforceable mandates backed by consent orders, fines, and decades of mandatory auditing. I've watched companies from Fortune 500s to ten-person startups get caught flat-footed. Here's what you actually need to know and do right now.
What the FTC Actually Requires: Section 5 and Beyond
The FTC doesn't publish a single checklist titled "do these ten things." Instead, it enforces cybersecurity through Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices." If you tell customers you protect their data and then don't, that's deceptive. If your security is so weak that a breach was reasonably foreseeable, that's unfair.
Here's what that means in practice. The FTC looks at whether your organization has implemented "reasonable" security measures. They've spelled out what "reasonable" looks like through dozens of enforcement actions, consent orders, and published guidance — particularly the FTC's guidance aligning with the NIST Cybersecurity Framework.
The Reasonableness Standard
The FTC evaluates your security relative to the sensitivity of the data you hold, the size and complexity of your business, and the cost of available tools. A healthcare startup holding patient records faces a higher bar than a local bakery with an email list — but both are on the hook.
In my experience, the companies that get into trouble aren't the ones that suffered a sophisticated nation-state attack. They're the ones that skipped the basics: no multi-factor authentication, no encryption in transit, no employee training, no access controls. The FTC has made this clear in case after case.
FTC Enforcement Actions That Should Scare You
Let's talk specifics, because abstract requirements don't change behavior. Real consequences do.
Drizly (2022): The CEO Got Named Personally
When the alcohol delivery platform Drizly suffered a data breach exposing roughly 2.5 million consumers' personal information, the FTC didn't just go after the company. It named CEO James Cory Rellas personally in the consent order. The FTC's complaint alleged that Drizly failed to implement basic security measures despite prior warnings — storing critical data on an unsecured platform, failing to monitor for security threats, and neglecting to implement multi-factor authentication.
The order required Drizly to destroy unnecessary data, implement a comprehensive security program, and — crucially — the requirements followed the CEO to any future companies he led. That's personal liability for cybersecurity failures. If you're a founder or executive, read that again.
Chegg (2022): Four Breaches, Then the Hammer
Education technology company Chegg suffered four separate security breaches between 2017 and 2020, exposing data on approximately 40 million customers. The FTC's complaint cited failures including employees and contractors sharing login credentials, lack of multi-factor authentication, and outdated encryption practices. The consent order mandated a comprehensive information security program and required Chegg to minimize data collection.
Fortnite / Epic Games (2022): $275 Million
Epic Games agreed to pay $275 million to settle FTC allegations related to violations of the Children's Online Privacy Protection Act (COPPA) and dark patterns. While COPPA-specific, the case reinforced the FTC's willingness to levy massive penalties when data protection failures affect consumers.
These aren't outliers. They're the pattern. The FTC has brought over 80 data security enforcement actions, and the pace is accelerating.
FTC Cybersecurity Requirements for Businesses: The Core Elements
Based on consent orders, the FTC's "Start with Security" guidance, and their alignment with the NIST framework, here are the specific elements the FTC expects in your security program. This is the closest thing to a checklist you'll get.
1. A Written Information Security Program
Every consent order requires a "comprehensive information security program" that's documented, maintained, and updated. This isn't a template you download and file away. It needs to reflect your actual data practices, actual risks, and actual technical environment.
2. Designated Security Personnel
Someone in your organization needs to own security. In smaller shops, that might be a dual-role. In larger organizations, it's a CISO or dedicated team. The FTC wants accountability — a named person or team responsible for implementing and maintaining the program.
3. Risk Assessments
You must identify material internal and external risks to the security of personal information you collect. This means documented risk assessments, not a gut feeling that "we're probably fine." The FTC specifically looks for whether you assessed risks in employee training, information systems, and data processing.
4. Safeguards for Identified Risks
Once you've identified risks, you need to implement safeguards. The FTC has specifically cited failures to implement:
- Multi-factor authentication for remote access and administrative accounts
- Encryption for sensitive data at rest and in transit
- Access controls limiting who can view personal information
- Intrusion detection systems and logging
- Patch management and vulnerability scanning
- Data minimization — only collecting what you actually need
5. Employee Security Awareness Training
This one comes up in nearly every enforcement action. The FTC expects you to train your workforce on security threats and your own policies. Phishing simulation, social engineering awareness, credential theft prevention, and data handling procedures aren't nice-to-haves. They're expected.
If you haven't rolled out structured cybersecurity awareness training for your team, you have a gap that the FTC has repeatedly flagged as a failure point. This is one of the most cost-effective steps any business can take.
6. Vendor and Service Provider Oversight
Your responsibility doesn't end at your network perimeter. The FTC expects you to select service providers capable of maintaining appropriate safeguards and to contractually require them to do so. The 2024 Verizon Data Breach Investigations Report found that third-party involvement in breaches continues to climb — a fact the FTC is well aware of.
7. Incident Response Planning
You need a documented plan for responding to security incidents. Not "we'll figure it out when it happens." A written, tested plan that covers detection, containment, notification, and remediation.
8. Regular Program Evaluation and Adjustment
Security isn't a one-time project. The FTC requires ongoing evaluation — typically through annual assessments, penetration testing, and updates triggered by changes to your business or threat landscape.
What Counts as "Reasonable Security"? The FTC's Own Answer
The FTC has directly addressed this question in published guidance. According to the agency, reasonable security is a process, not a product. There's no single technology you can buy to become compliant. Instead, the FTC evaluates the totality of your security practices relative to your specific circumstances.
The NIST Cybersecurity Framework serves as the FTC's de facto benchmark. If your security program aligns with NIST CSF's five core functions — Identify, Protect, Detect, Respond, Recover — you're in strong shape. If you can't articulate how your program maps to these functions, you have work to do.
The Safeguards Rule: Even Stricter for Financial Institutions
If your business falls under the FTC's Gramm-Leach-Bliley Act (GLBA) jurisdiction — and that includes auto dealers, mortgage brokers, tax preparers, and other non-bank financial institutions — you face the even more prescriptive FTC Safeguards Rule. The updated rule, which took full effect in June 2023, requires specific technical controls including:
- Multi-factor authentication for anyone accessing customer information
- Encryption of customer data in transit and at rest
- A designated Qualified Individual responsible for the security program
- Penetration testing annually and vulnerability assessments every six months
- Written incident response plans
- Board-level or senior management reporting on security program status
The Safeguards Rule removed much of the ambiguity. If you're covered, compliance is prescriptive and measurable. No excuses.
Phishing Is Where Most Failures Begin
Here's what I see over and over again in FTC enforcement actions and real-world breaches: the initial compromise almost always traces back to a phishing email or social engineering attack. The Verizon 2024 DBIR confirmed that the human element was involved in 68% of breaches. Threat actors don't need to hack your firewall when they can trick an employee into handing over credentials.
The FTC has specifically cited lack of phishing training as a security failure in multiple consent orders. If your employees can't recognize a credential theft attempt, your expensive security stack doesn't matter. Attackers will walk right through the front door.
This is exactly why organizations should invest in phishing awareness training that simulates real-world attacks. Simulations build muscle memory. Employees who've been tested are dramatically more likely to report suspicious emails instead of clicking.
Zero Trust Isn't Optional Anymore
The FTC hasn't explicitly mandated zero trust architecture by name. But every control they've cited — least-privilege access, multi-factor authentication, network segmentation, continuous verification — aligns with zero trust principles. When the FTC punished Drizly for storing sensitive data in broadly accessible environments, that's a zero trust failure.
If you're still running a flat network where any employee can access any system, you're building the kind of environment that FTC investigators love to cite in complaints. Start segmenting. Start verifying. Start limiting access to what each role actually needs.
The Health Breach Notification Rule: Expanded Scope
In 2024, the FTC finalized updates to the Health Breach Notification Rule, expanding its reach to cover health apps and connected fitness devices. If your business touches health-related data but isn't covered by HIPAA, you may now fall under this rule. That means notification requirements for breaches and — critically — FTC enforcement authority over your security practices.
The FTC fined GoodRx $1.5 million in 2023 for sharing users' health information with advertisers without consent, marking the first enforcement under this rule. If your app collects anything health-adjacent — sleep data, fertility tracking, fitness metrics — pay attention.
Five Steps to Take This Week
Stop reading compliance frameworks and start doing these concrete things:
Step 1: Document What Data You Hold and Where
You can't protect what you don't know exists. Map every database, spreadsheet, cloud bucket, and SaaS platform that contains personal information. Then ask: do we actually need all of this? Data minimization is an FTC expectation. Delete what you don't need.
Step 2: Enable Multi-Factor Authentication Everywhere
The FTC has cited MFA failures in case after case. Enable it on every system that touches customer data, every administrative account, and every remote access point. No exceptions.
Step 3: Run a Phishing Simulation
Don't just send an email telling employees to "be careful." Run an actual phishing simulation. Measure who clicks. Train those who do. Repeat quarterly. This is exactly the kind of measurable, documented effort the FTC wants to see.
Step 4: Write Your Incident Response Plan
If you don't have one, write it today. Include: who to contact, how to contain a breach, when to notify consumers and regulators, and how to preserve evidence. Test it with a tabletop exercise at least annually.
Step 5: Get Your Security Awareness Training Rolling
The FTC looks for evidence that you trained employees on your specific security policies and on broader threats like ransomware, social engineering, and credential theft. Structured training through platforms like computersecurity.us gives you documentation that you took reasonable steps — the exact standard the FTC applies.
The Cost of Non-Compliance vs. The Cost of Compliance
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a breach at $4.88 million. The FTC can impose consent orders lasting 20 years, require biannual third-party security assessments at your expense, and — as Drizly showed — hold executives personally liable.
Compare that to the cost of implementing a written security program, training your employees, and deploying MFA. It's not even close. The math overwhelmingly favors proactive compliance.
The Cybersecurity and Infrastructure Security Agency (CISA) publishes resources specifically designed to help small and mid-sized businesses implement these controls. Between CISA's resources and structured training, there's no credible argument for inaction.
The FTC Is Watching. Act Like It.
FTC cybersecurity requirements for businesses aren't going away. Every enforcement action raises the bar and creates new precedent. Every consent order tells the next company exactly what "reasonable" means — and makes it harder to argue you didn't know.
Your customers trust you with their data. The FTC is making sure you earn that trust, whether you want to or not. The businesses that thrive in this environment aren't the ones with the biggest security budgets. They're the ones that treat security as a core business function, train their people, and document everything.
Start with what you can control today. Train your team. Write your policies. Enable MFA. Run simulations. The FTC's standard isn't perfection — it's reasonableness. But "we didn't get around to it" has never once qualified as reasonable.