The $5.6 Billion Warning the FTC Already Sent You

In 2023, the FTC reported collecting over $5.6 billion in consumer refunds from enforcement actions — a significant chunk tied to data security failures. If you think the FTC only goes after big tech, think again. They've pursued auto dealers, health apps, ed-tech startups, and even a company that sold flashlights online. No business is too small to draw their attention.

Understanding FTC cybersecurity requirements for businesses isn't optional anymore. It's the difference between operating normally and facing a consent decree that dictates your security practices for the next 20 years. I've seen organizations blindsided by this, and the aftermath isn't pretty.

This post breaks down what the FTC actually requires, which enforcement actions should scare you into compliance, and the concrete steps your organization needs to take right now.

What Are FTC Cybersecurity Requirements for Businesses?

The FTC doesn't publish a single checklist you can print and pin to your wall. Instead, their authority comes primarily from two sources: Section 5 of the FTC Act, which prohibits unfair or deceptive practices, and the Safeguards Rule under the Gramm-Leach-Bliley Act for financial institutions.

Under Section 5, if your business collects consumer data and fails to protect it reasonably, the FTC can argue that's an unfair practice. If you promise security in your privacy policy and don't deliver, that's deceptive. Either way, you're in their crosshairs.

The Revised Safeguards Rule

The FTC's revised Safeguards Rule went into full effect in June 2023 and continues to define requirements in 2026. It applies to "financial institutions" — but the FTC defines that term broadly. Auto dealers, mortgage brokers, payday lenders, tax preparers, and even some retailers offering financing all fall under it.

Key requirements include:

  • Designating a qualified individual to oversee your information security program
  • Conducting written risk assessments
  • Implementing access controls and encryption for customer data
  • Adopting multi-factor authentication for anyone accessing customer information
  • Developing an incident response plan
  • Providing security awareness training to all personnel
  • Regularly testing and monitoring safeguards
  • Reporting security events to your board or governing body

That's not a suggestion list. Those are mandates. Failure to comply is a violation of federal law.

Enforcement Actions That Should Keep You Up at Night

The FTC doesn't just write rules. They enforce them aggressively. Here are real cases that illustrate what happens when businesses treat cybersecurity as an afterthought.

Drizly: The CEO Got Named Personally

In 2022, the FTC took action against alcohol delivery platform Drizly and its CEO personally after a data breach exposed information on roughly 2.5 million consumers. The company had stored critical data on an unsecured cloud platform, reused credentials, and lacked basic monitoring. The FTC's order followed the CEO to his next job — meaning even if Drizly shut down, the security obligations stuck to him individually.

That should terrify every business owner reading this. The FTC can and will hold leadership personally accountable.

CafePress: Credential Theft They Ignored

CafePress suffered a breach in 2019 that compromised millions of accounts. The FTC's complaint alleged the company failed to implement reasonable security, stored Social Security numbers in plain text, and didn't properly investigate the breach for months. The FTC's 2022 order required the company to overhaul its security program and submit to third-party assessments.

Chegg: Four Breaches in Three Years

Ed-tech company Chegg got hit with an FTC action after four separate data breaches between 2017 and 2020 exposed personal data of roughly 40 million users. The FTC cited failures like employees and contractors sharing login credentials and the company collecting more data than necessary. The resulting order mandated multi-factor authentication, data minimization, and regular security training.

See the pattern? These aren't exotic zero-day exploits. They're basic security failures — weak credentials, no encryption, absent training, poor monitoring.

Does the FTC Apply to Your Business?

Short answer: almost certainly yes. If your business collects personal information from consumers and operates in the United States, the FTC's Section 5 authority applies to you. You don't need to be a financial institution. You don't need to process payments. If you have a customer list with email addresses and you promised to protect that data, you're in scope.

The Safeguards Rule has a narrower scope — financial institutions as defined by the FTC. But Section 5 casts a wide net. The FTC has brought actions against companies in healthcare, retail, education, hospitality, and dozens of other sectors.

The 8 Steps to FTC Compliance Your Organization Needs

Based on FTC enforcement patterns and the Safeguards Rule requirements, here's what your organization should implement:

1. Assign a Security Leader

Someone in your organization needs to own information security. The Safeguards Rule requires a "qualified individual" — that can be an employee or an outsourced provider, but they must have real authority and expertise.

2. Run a Formal Risk Assessment

Document your risks. Identify where consumer data lives, who can access it, and what threats exist. The FTC expects this in writing, updated regularly.

3. Deploy Multi-Factor Authentication

Every enforcement action I've reviewed cites credential theft or weak authentication. MFA is non-negotiable. Implement it on every system that touches customer data.

4. Encrypt Data at Rest and in Transit

If a threat actor steals an encrypted database, the damage is contained. If they steal plaintext Social Security numbers like they did at CafePress, you're facing an FTC complaint and a class-action lawsuit.

5. Train Every Employee — Not Just IT

The FTC specifically calls out security awareness training as a requirement. Phishing simulations and social engineering awareness aren't nice-to-haves. The Chegg order mandated them explicitly. Our cybersecurity awareness training program covers exactly the topics the FTC expects your workforce to understand.

6. Implement Access Controls

Apply the principle of least privilege. Not everyone needs access to everything. Zero trust architecture, where every access request is verified regardless of network location, aligns directly with what the FTC demands.

7. Build an Incident Response Plan

The FTC doesn't just punish breaches — they punish slow, negligent responses. Have a documented plan. Know who to call. Know how to preserve evidence. Practice it.

8. Test Your Controls Regularly

Penetration testing, vulnerability scanning, and phishing simulations should run on a recurring schedule. Our phishing awareness training for organizations helps you measure employee susceptibility and build a culture that recognizes social engineering attempts before they succeed.

What Happens When You Violate FTC Cybersecurity Requirements?

The consequences are severe and long-lasting:

  • Consent decrees lasting 10-20 years that dictate your security practices in detail
  • Mandatory third-party security assessments at your expense, sometimes biannually
  • Personal liability for executives — as demonstrated in the Drizly case
  • Civil penalties up to $50,120 per violation per day under the Safeguards Rule
  • Reputational damage that sends customers to your competitors

And here's what most people miss: the FTC doesn't need a data breach to take action. They can pursue you for having inadequate security practices even if no breach has occurred. The FTC's Start with Security guide makes this explicit.

How FTC Requirements Compare to Other Frameworks

If you're already working toward NIST Cybersecurity Framework compliance, you're in good shape. The FTC has explicitly referenced the NIST CSF as a reasonable benchmark. The Safeguards Rule requirements map closely to NIST's Identify, Protect, Detect, Respond, and Recover functions.

Similarly, if you're following CISA's Shields Up guidance, you're already addressing many of the security basics the FTC expects. The overlap is significant — access controls, MFA, encryption, training, and incident response appear across all of these frameworks.

The Ransomware Connection You Can't Ignore

Here's something I've seen repeatedly in my work: organizations that fail FTC cybersecurity requirements are the same ones getting hit with ransomware. The Verizon 2024 Data Breach Investigations Report found that credentials and phishing remain the top initial access vectors for threat actors deploying ransomware. These are exactly the gaps the FTC punishes.

When you invest in meeting FTC cybersecurity requirements for businesses, you're simultaneously hardening your defenses against the threats that actually hit organizations daily. It's compliance and protection rolled into one effort.

Your 30-Day FTC Compliance Kickstart

Week 1: Assign your security leader. Inventory all systems storing consumer data.

Week 2: Begin your written risk assessment. Identify your biggest gaps — likely MFA and encryption.

Week 3: Deploy MFA on all systems touching customer data. Start encrypting stored data.

Week 4: Launch employee training. Run your first phishing simulation. Draft your incident response plan.

That won't make you fully compliant in 30 days. But it demonstrates good faith, closes your most critical gaps, and starts building the documentation trail the FTC looks for when deciding whether your security program is "reasonable."

The FTC isn't going to wait for your next strategic planning cycle. Every day you operate without these controls is a day you're exposed — to regulators, to threat actors, and to the kind of breach that turns a business into a cautionary tale.