The FTC Just Fined a Company $5 Billion. Are You Next?

In 2019, the FTC levied a record-breaking $5 billion penalty against Facebook for privacy violations. That number made headlines, but here's what most business owners missed: the FTC doesn't just go after tech giants. They come for small businesses, mid-size firms, and anyone who collects consumer data and fails to protect it. Understanding FTC cybersecurity requirements for businesses isn't optional — it's the difference between operating normally and facing an enforcement action that could shut your doors.

I've watched dozens of companies scramble after receiving an FTC complaint. The pattern is always the same: they assumed cybersecurity regulations only applied to banks and hospitals. They were wrong. If your business collects personal information from customers — names, emails, payment data, health records — the FTC considers you responsible for protecting it.

This post breaks down exactly what the FTC expects, what triggers enforcement, and the specific steps you need to take right now to stay on the right side of the law.

What the FTC Actually Requires (And Why Most Businesses Get It Wrong)

The FTC doesn't publish a neat checklist labeled "do these ten things and you're compliant." Instead, they enforce cybersecurity through Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices." In plain English: if you promise customers you'll protect their data (through a privacy policy, terms of service, or even marketing language) and then fail to do so, you've committed a deceptive practice.

But it goes further. Even if you never made an explicit promise, the FTC can pursue you for unfair practices — meaning your security was so poor that it caused or was likely to cause substantial consumer injury. I've seen this catch business owners off guard more than anything else.

The Safeguards Rule: Where It Gets Specific

For financial institutions — and the FTC defines that term broadly to include auto dealers, mortgage brokers, tax preparers, and others — the Gramm-Leach-Bliley Act's Safeguards Rule spells out more concrete requirements. The FTC finalized significant updates to this rule in late 2021, tightening what "reasonable security" means.

Key requirements under the updated Safeguards Rule include:

  • Designating a qualified individual to oversee your information security program
  • Conducting risk assessments and documenting them
  • Implementing access controls and multi-factor authentication
  • Encrypting customer information in transit and at rest
  • Developing an incident response plan
  • Providing security awareness training to all personnel
  • Regularly testing and monitoring safeguards

Even if you're not classified as a financial institution, these requirements serve as the FTC's template for what "reasonable security" looks like across industries. I've spoken with attorneys who specialize in FTC enforcement, and they all say the same thing: the Safeguards Rule is essentially the FTC's cybersecurity playbook for everyone.

The $4.88M Lesson Most Small Businesses Learn Too Late

According to IBM's 2021 Cost of a Data Breach Report, the average cost of a data breach reached $4.24 million globally. For smaller businesses, a single FTC enforcement action can be existential. And the FTC has been accelerating its enforcement pace.

Consider these real cases:

CafePress: A Masterclass in What Not to Do

In March 2022, the FTC finalized an order against CafePress after a 2019 data breach exposed the personal information of millions of customers. The FTC found that CafePress stored Social Security numbers and password reset answers in plain text, failed to patch known vulnerabilities, and kept consumer data far longer than necessary. The company's former owner was required to pay $500,000 and comply with a comprehensive security program.

What's striking about this case: CafePress wasn't a Fortune 500 company. It was an online retailer. The security failures were basic — the kind I see in small and mid-size businesses every week.

SkyMed International: Deceptive Security Promises

In 2021, the FTC went after SkyMed, a travel membership company, for a data breach that exposed consumers' personal information, including passport numbers. SkyMed's sin wasn't just poor security — it was telling affected customers there was "no reason to be concerned" and that no personal information had been compromised, when in fact it had. The FTC called this deceptive and imposed strict requirements.

The lesson: how you respond to a breach matters as much as how you prevent one.

What Does "Reasonable Security" Mean to the FTC?

This is the question I get asked most, and it's the one most likely to appear in a search about FTC cybersecurity requirements for businesses. Here's the direct answer:

The FTC has never defined a single standard for "reasonable security." Instead, they evaluate it based on the sensitivity of data you collect, your company's size and complexity, the cost of available tools, and known industry threats. However, the FTC has published guidance — notably their "Start with Security" guide — that outlines specific expectations.

The FTC expects businesses to, at minimum:

  • Limit data collection to what you actually need
  • Control access so employees only reach data relevant to their role
  • Require strong authentication, including multi-factor authentication for sensitive systems
  • Patch known vulnerabilities promptly — the FTC has specifically cited failure to patch as evidence of unreasonable security
  • Train employees to recognize social engineering and phishing attacks
  • Monitor systems for unauthorized access
  • Have an incident response plan and test it
  • Oversee service providers who handle your customer data

If a threat actor compromises your network because you failed to do any of these things, the FTC will argue your security was unreasonable. And based on decades of enforcement precedent, they'll probably win.

Why Employee Training Is the FTC's Favorite Enforcement Trigger

I've reviewed over 80 FTC data security complaints and consent orders. You know what appears in nearly every single one? A finding that the company failed to adequately train its employees on security practices.

This makes sense. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element — phishing, credential theft, social engineering, or simple errors. The FTC knows this. When they investigate a breach, one of the first things they look at is your training program.

Not whether you have one. Whether it's effective.

What "Effective" Training Looks Like

A once-a-year PowerPoint presentation doesn't cut it. I've seen companies produce evidence of annual training during an FTC investigation, only to have the FTC dismiss it because the training was generic, outdated, or never reinforced. Here's what actually works:

  • Regular phishing simulations that test employees with realistic scenarios — not obvious fake emails from "Nigerian princes"
  • Role-specific training so your finance team understands business email compromise and your IT team understands zero trust architecture
  • Ongoing reinforcement through short, frequent modules rather than one annual session
  • Documented completion and assessment to prove employees actually absorbed the material

If you're looking for a structured program that covers these requirements, our cybersecurity awareness training course is built specifically to meet the standards regulators like the FTC expect. For organizations that need targeted anti-phishing capabilities, our phishing awareness training for organizations provides the simulation and education components that satisfy both FTC guidance and industry best practices.

The FTC's Enforcement Toolkit: What They Can Actually Do to You

A lot of business owners underestimate the FTC's power. Let me be clear about what's at stake.

Most FTC cybersecurity cases end in consent orders — legally binding agreements that typically require 20 years of third-party security assessments, mandatory reporting of any future breaches, and implementation of a comprehensive information security program. If you violate the consent order, the FTC can pursue civil penalties of up to $43,792 per violation per day.

Civil Penalties

For violations of specific rules like the Safeguards Rule or the Health Breach Notification Rule, the FTC can impose direct civil penalties without going through the consent order process first.

Individual Liability

The CafePress case made something clear: the FTC will pursue individuals, not just companies. The company's former owner was personally named in the complaint and personally required to pay penalties and comply with security requirements.

Your 90-Day FTC Compliance Action Plan

I'm not a lawyer, and this isn't legal advice. But based on every FTC enforcement action I've studied, here's the practical roadmap I recommend to businesses serious about meeting FTC cybersecurity requirements for businesses.

Days 1-30: Assess and Document

  • Conduct a written risk assessment identifying what personal data you collect, where it's stored, who has access, and what threats exist
  • Review your privacy policy and public-facing security claims — make sure every promise is actually true
  • Inventory all service providers who handle customer data and review their contracts for security requirements
  • Designate a specific individual as responsible for your security program

Days 31-60: Implement Core Controls

  • Enable multi-factor authentication on all systems containing customer data — this is non-negotiable in 2022
  • Patch all known vulnerabilities across your infrastructure — CISA's Known Exploited Vulnerabilities Catalog is a great starting point
  • Implement access controls based on the principle of least privilege
  • Encrypt customer data at rest and in transit
  • Deploy endpoint detection tools and enable logging

Days 61-90: Train, Test, and Plan

  • Launch a security awareness training program for all employees — enroll your team in a comprehensive cybersecurity awareness course that covers social engineering, credential theft, ransomware, and data handling
  • Run your first phishing simulation to baseline employee susceptibility
  • Write and test an incident response plan — who gets called, what gets preserved, who contacts affected consumers
  • Document everything. The FTC evaluates your program's existence based on what you can prove in writing

The Regulatory Landscape Is Getting Tighter, Not Looser

The FTC isn't slowing down. In late 2021, the Commission issued a policy statement warning that it would use its full enforcement authority against companies that fail to protect consumer health data. The updated Safeguards Rule raises the bar significantly. And the NIST Cybersecurity Framework, while voluntary, increasingly serves as the benchmark FTC investigators use to evaluate whether your security program is reasonable.

State attorneys general are also filing their own actions, often coordinating with the FTC. A single data breach can now trigger federal enforcement, state enforcement, class-action lawsuits, and notification costs simultaneously.

Zero Trust Isn't Just a Buzzword Anymore

The FTC's recent emphasis on access controls, authentication, and continuous monitoring aligns directly with zero trust principles. If you're still running a flat network where every employee can access every file, you're building the FTC's case against you. In my experience, organizations that adopt zero trust architectures — verifying every user, every device, every session — are dramatically less likely to face the kind of catastrophic breach that draws regulatory attention.

Stop Hoping the FTC Won't Notice You

Here's what I tell every business owner I work with: the FTC doesn't need to audit you proactively. They find you after a breach, after a consumer complaint, or after a news story. By then, the damage is done — to your customers, your reputation, and your bottom line.

The FTC cybersecurity requirements for businesses aren't a bureaucratic burden. They're a roadmap for building the kind of security program that actually prevents breaches. Every company that's faced an FTC enforcement action had the opportunity to implement reasonable safeguards before things went wrong. They just didn't.

Don't be that company. Start your risk assessment this week. Get your employees trained through a structured security awareness program. Implement multi-factor authentication today, not next quarter. Document everything you do.

Because when the FTC comes knocking — and eventually, for some of you, they will — the only thing that matters is what you can prove you did before that moment arrived.