The FTC Just Fined a Company $1.5 Million — Here's What They Missed
In 2023, the FTC finalized its order against Chegg, Inc. for repeated data breaches that exposed personal information of roughly 40 million customers and employees. The company's failures weren't exotic. They stored data in plain text. They didn't enforce multi-factor authentication. They lacked basic employee security awareness training. The FTC didn't need a novel legal theory — they used Section 5 of the FTC Act and called it what it was: unfair practices.
If you think the FTC cybersecurity requirements for businesses only apply to big tech, you're making the same mistake Chegg's leadership made. The Commission has made it crystal clear: if you collect consumer data, you have cybersecurity obligations, regardless of your size or industry.
This post breaks down exactly what the FTC expects, what triggers enforcement, and the practical steps your organization needs to take right now to stay compliant. I've spent years helping organizations navigate these requirements, and I can tell you — most businesses don't fail because the rules are complicated. They fail because they don't take the basics seriously.
What the FTC Actually Requires: No Excuses Left
The FTC doesn't publish a single checklist you can laminate and hang on a wall. Instead, its requirements come from three overlapping sources: Section 5 of the FTC Act, the Safeguards Rule (which applies to financial institutions under the Gramm-Leach-Bliley Act), and consent orders from enforcement actions that essentially become binding precedent.
Section 5 prohibits "unfair or deceptive acts or practices." If your privacy policy says you protect customer data but you don't actually implement reasonable security measures, that's deceptive. If a breach harms consumers because you skipped basic safeguards, that's unfair. The bar is "reasonableness" — not perfection.
The Safeguards Rule: Specific and Binding
The revised FTC Safeguards Rule, which took full effect in June 2023, goes much further. It requires covered financial institutions — including auto dealers, mortgage brokers, tax preparers, and many others — to implement a comprehensive information security program. Key mandates include:
- Designating a qualified individual to oversee your security program
- Conducting written risk assessments
- Implementing access controls and encrypting customer data
- Deploying multi-factor authentication for anyone accessing customer information
- Developing an incident response plan
- Providing ongoing security awareness training to all personnel
- Regularly testing and monitoring the effectiveness of safeguards
Even if your business isn't technically a "financial institution" under the Safeguards Rule, the FTC's consent orders against non-financial companies like Chegg, CafePress, and SkyMed have imposed nearly identical requirements. In my experience, the Safeguards Rule is the closest thing to a universal FTC cybersecurity standard — and treating it that way is the smartest move any business can make.
FTC Enforcement Actions: The $4.88M Lesson Most Businesses Learn Too Late
IBM's 2024 Cost of a Data Breach Report found the global average cost of a data breach hit $4.88 million. But FTC enforcement adds a different kind of pain: 20-year consent orders, mandatory third-party audits, public shaming, and personal liability for executives.
Let's look at the pattern. In its action against Drizly (2022), the FTC didn't just go after the company — it named the CEO personally and required him to implement security programs at any future company he runs. That was unprecedented. It sent a message: leadership accountability is no longer optional.
CafePress faced an FTC complaint after a 2019 breach exposed millions of customers' email addresses and passwords stored with outdated, inadequate encryption. The Commission's complaint cited failures in employee training, patch management, and incident response — the fundamentals.
What Triggers an FTC Investigation?
Three things consistently bring the FTC to your door:
- A data breach that harms consumers. Especially if the breach results from negligence — unpatched systems, weak credentials, lack of encryption.
- Deceptive privacy or security claims. If your website says "we use industry-leading security" but your team reuses passwords and doesn't run phishing simulations, you're exposed.
- Consumer complaints. The FTC tracks complaints through its Consumer Sentinel Network. A pattern of complaints about unauthorized access or data misuse can spark a formal investigation.
The common thread in every enforcement action I've reviewed? The failures were preventable. Not zero-day exploits. Not nation-state threat actors. Basic stuff: missing patches, no MFA, credential theft from phishing emails that nobody trained employees to recognize.
What Are the FTC Cybersecurity Requirements for Businesses?
Here's the direct answer. The FTC requires businesses that collect consumer data to implement reasonable cybersecurity safeguards. At a minimum, this means: conducting risk assessments, encrypting sensitive data, enforcing access controls and multi-factor authentication, training employees on security awareness, monitoring for threats, and maintaining a written incident response plan. For financial institutions, these requirements are codified in the revised Safeguards Rule. For all other businesses, the FTC enforces equivalent standards through Section 5 of the FTC Act and consent orders.
Employee Training: The Requirement Nobody Can Afford to Skip
Every single FTC consent order I've reviewed in the past five years includes mandatory security awareness training. Every one. It's not a suggestion — it's a core requirement.
And it makes sense. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, credential theft, errors, and misuse. You can deploy the most sophisticated zero trust architecture on the planet, and one employee clicking a phishing link can still bring down the house.
The FTC doesn't just want annual compliance videos. Their orders specify training that's "relevant to employees' roles and responsibilities" and updated regularly. That means your finance team needs targeted training on business email compromise. Your IT staff needs training on secure configuration and patch management. Your front-desk staff needs to recognize social engineering attempts.
What Effective Training Actually Looks Like
I've seen organizations check the training box with a single 30-minute webinar in January and call it done. That doesn't meet the FTC's reasonableness standard, and it definitely doesn't reduce risk.
Effective training includes:
- Regular phishing simulations that test employees with realistic scenarios and provide immediate feedback
- Role-based modules so a developer learns about secure coding while an HR manager learns about protecting employee PII
- Ongoing reinforcement — monthly or quarterly, not annually
- Measurable outcomes — click rates on simulations, assessment scores, reported phishing attempts
If your organization needs to build or upgrade its training program, our cybersecurity awareness training platform covers the essential topics the FTC expects businesses to address. For organizations specifically looking to reduce phishing risk — which is the single largest attack vector in FTC enforcement cases — our phishing awareness training for organizations provides the kind of targeted, role-specific education that regulators want to see.
The Seven Practical Steps to FTC Compliance
Let me give you the action plan I walk businesses through. This isn't theoretical — it's built from actual FTC requirements and enforcement patterns.
1. Appoint a Security Program Owner
The Safeguards Rule requires a "qualified individual" responsible for your information security program. This person doesn't have to be a CISO, but they need authority, resources, and direct access to leadership. In smaller businesses, it can be an outsourced role — the FTC explicitly allows that.
2. Conduct a Written Risk Assessment
Identify where you store customer data, what threats exist, and how adequate your current safeguards are. Document everything. The FTC's Safeguards Rule specifies that the risk assessment must be in writing and must include criteria for evaluating threats and countermeasures.
3. Implement Access Controls and MFA
Limit data access to employees who need it for their jobs. Deploy multi-factor authentication on every system that touches customer information. The FTC cited the lack of MFA in its complaints against both Chegg and CafePress. There's no excuse for skipping this in 2026.
4. Encrypt Data in Transit and at Rest
If customer data sits on a server or moves across a network unencrypted, you're a sitting target — and you're violating what the FTC considers a basic safeguard. Use TLS for data in transit and AES-256 or equivalent for data at rest.
5. Train Every Employee, Then Train Them Again
Security awareness training isn't a one-time event. Build a program that includes initial onboarding training, regular phishing simulations, and quarterly refreshers. Track metrics. Adjust based on results.
6. Monitor, Detect, and Respond
Deploy intrusion detection, log monitoring, and endpoint protection. More importantly, have a documented incident response plan that your team has actually practiced. The FTC's orders consistently require businesses to "implement intrusion detection and prevention systems" and test them regularly.
7. Assess Your Vendors
The FTC holds you responsible for customer data even when a vendor handles it. Your contracts must require service providers to maintain appropriate safeguards. Review vendor security at least annually.
Ransomware, Phishing, and the Threats the FTC Cares About Most
The FTC doesn't operate in a vacuum. Its enforcement priorities track with the threat landscape, and right now that means ransomware, credential theft, and social engineering dominate the conversation.
The FBI's Internet Crime Complaint Center (IC3) reported over $12.5 billion in cybercrime losses in 2023, with phishing and business email compromise leading the pack. Those are the same attack vectors that appear in FTC complaints over and over again.
A zero trust security model — where no user or device is automatically trusted — is rapidly becoming the baseline expectation. The FTC hasn't formally mandated zero trust, but its requirements for access controls, continuous monitoring, and least-privilege access map directly onto zero trust principles.
Why Phishing Simulations Are Non-Negotiable
In my experience, organizations that run regular phishing simulations see click rates drop from 25-30% to under 5% within six months. That's not just a training metric — it's a direct reduction in breach risk. And when an FTC investigator asks what you've done to prevent social engineering attacks, showing simulation data with declining click rates is exactly the kind of evidence that demonstrates "reasonable" safeguards.
Small Businesses Aren't Exempt — They're Prime Targets
I hear this constantly: "We're too small for the FTC to care about." Wrong. The FTC has pursued enforcement actions against companies of all sizes. More importantly, the FTC's guidance materials explicitly state that reasonable security is scalable — a small business isn't expected to have a Fortune 500 security budget, but it is expected to implement safeguards proportional to the sensitivity and volume of data it handles.
In practice, that means even a 10-person company that processes customer credit cards needs encryption, access controls, employee training, and an incident response plan. The Safeguards Rule applies to financial institutions regardless of size.
If you're a small business owner reading this and feeling overwhelmed, start with the basics: MFA on everything, a password manager for your team, regular phishing awareness training, and encrypted backups. Those four steps alone address the most common failures cited in FTC enforcement actions.
What Happens When You Get It Wrong
FTC consent orders typically span 20 years. During that period, your business faces mandatory biennial third-party security assessments, detailed record-keeping requirements, and reporting obligations to the Commission. Violate the order, and you face civil penalties of over $50,000 per violation per day.
Beyond the legal consequences, there's the reputational damage. FTC enforcement actions are public. Your customers, partners, and investors will know. For many small and mid-sized businesses, the reputational hit is more damaging than the fine.
Start Building Your Defense Today
The FTC cybersecurity requirements for businesses aren't going to get easier. The Commission continues expanding its enforcement posture, and every major data breach generates more political pressure for accountability. Waiting until after a breach to get compliant isn't a strategy — it's a liability.
Map your data. Assess your risks. Deploy MFA. Encrypt everything sensitive. Train your people relentlessly. Test your defenses. Document all of it.
Your compliance program is only as strong as your weakest employee's ability to spot a phishing email. Invest in cybersecurity awareness training that actually changes behavior. Build a phishing simulation program that keeps your team sharp year-round. Because when the FTC comes asking questions, "we didn't know" has never been an acceptable answer.