A $1.5 Million Fine for "Reasonable Security" Failures

In May 2023, the FTC hit online alcohol marketplace Drizly and its CEO with an enforcement order after a data breach exposed the personal information of roughly 2.5 million consumers. The kicker? The FTC had warned the company about its lax security practices before the breach happened. They ignored it. The order now follows the CEO personally to any future companies he leads.

That case tells you everything you need to know about how seriously the FTC takes cybersecurity in 2023. And if you think these actions only hit big companies, you haven't been paying attention.

This post breaks down the FTC cybersecurity requirements for businesses — what the agency actually demands, how they enforce it, what triggers an investigation, and the specific steps your organization should take right now. Whether you run a 15-person startup or a mid-market retailer, these requirements apply to you.

What the FTC Actually Requires (and Why It's Intentionally Vague)

Here's what trips up most business owners: the FTC doesn't hand you a checklist. There's no "install these five tools and you're compliant" directive. Instead, Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices" — and the agency has successfully argued for over two decades that failing to protect consumer data qualifies as an unfair practice.

The FTC's position is straightforward. If you collect personal information from consumers, you must implement "reasonable security measures" to protect that data. What counts as reasonable depends on your business size, the sensitivity of data you handle, and the tools available to you.

The Revised Safeguards Rule: Where Things Got Specific

For financial institutions — and that term is broader than you think, covering auto dealers, mortgage brokers, tax preparers, and more — the FTC updated the Gramm-Leach-Bliley Act's Safeguards Rule with enforcement beginning in June 2023. This revision added teeth that had been missing for years.

The updated rule now requires these specific measures:

  • Designating a qualified individual to oversee your information security program
  • Conducting written risk assessments
  • Implementing access controls and encryption for customer data
  • Deploying multi-factor authentication for anyone accessing customer information
  • Developing an incident response plan
  • Providing security awareness training to all personnel
  • Regularly testing and monitoring the effectiveness of safeguards

Even if your business doesn't fall under the Safeguards Rule directly, these requirements signal exactly what the FTC considers "reasonable." I've seen the agency reference Safeguards Rule standards in enforcement actions against companies that technically aren't covered by it. Think of it as the FTC's blueprint for what every business should be doing.

FTC Cybersecurity Requirements for Businesses: The Enforcement Reality

The FTC has brought over 80 data security enforcement actions since 2002. I want to highlight a few that matter because they reveal how the agency actually thinks about your security posture.

Case Study: CafePress (2022)

CafePress, the custom merchandise platform, stored Social Security numbers and password reset answers in plain text. After a 2019 breach exposed data from over 22 million accounts, the FTC found the company failed to implement reasonable security measures. The settlement required the former owner to pay $500,000 and mandated a comprehensive security program.

The FTC specifically cited failures in encryption, access controls, and the company's response to the breach — they tried to cover it up by resetting passwords without disclosing the incident.

Case Study: Chegg (2022)

Education technology company Chegg suffered four data breaches between 2017 and 2020. The FTC's complaint highlighted that employees and contractors could access consumer data using a single company-wide login. No multi-factor authentication. No access controls limiting who could see what. The company stored data in plain text on cloud servers.

The FTC's order required Chegg to implement MFA, limit data collection, give consumers access to their data, and establish a comprehensive security program.

What These Cases Tell You

Patterns emerge across FTC enforcement actions. The agency consistently goes after businesses that:

  • Store sensitive data in plain text without encryption
  • Fail to implement multi-factor authentication
  • Don't limit employee access to sensitive data
  • Ignore known vulnerabilities after being notified
  • Lack an incident response plan
  • Don't train employees on security practices

If your organization is doing any of these things right now, you're operating in the FTC's crosshairs.

The "Reasonable Security" Standard: What It Actually Means

What does the FTC consider "reasonable" cybersecurity?

The FTC evaluates reasonable security based on the totality of a company's security program relative to the sensitivity and volume of consumer data it handles. In practice, the agency has outlined several core expectations in its guidance document "Start with Security", which maps closely to the NIST Cybersecurity Framework. Reasonable security includes: conducting risk assessments, encrypting sensitive data, controlling access on a need-to-know basis, training all employees on security threats, monitoring for unauthorized access, maintaining an incident response plan, and keeping software patched and updated. The FTC doesn't require perfection — but it requires evidence that you tried systematically.

This matters because "we didn't know" has never been an effective defense. The FTC expects you to proactively identify risks, not wait until a threat actor breaches your network to discover you had problems.

Social Engineering and Employee Training: The Gap Most Businesses Ignore

According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches involved the human element — including social engineering, errors, and misuse. Phishing remains the top initial access vector for credential theft, and it's the one area where technology alone can't save you.

I've seen organizations spend six figures on firewalls and endpoint detection while their employees click every phishing simulation that lands in their inbox. The FTC has specifically called out inadequate employee training in multiple enforcement actions. In the Chegg case, the FTC noted that employees fell for a phishing attack that gave threat actors access to an internal database — and the company had no meaningful security training program in place.

Your employees are your first and last line of defense. Every person who handles consumer data needs to understand phishing, pretexting, and credential theft tactics. This isn't optional under the FTC's framework — it's core to demonstrating reasonable security.

If you're building or upgrading your training program, our cybersecurity awareness training course covers exactly what the FTC expects employees to know, from recognizing social engineering to reporting incidents properly.

Phishing Simulations: Proof the FTC Wants to See

Running periodic phishing simulations isn't just good practice — it creates documented evidence that your organization actively tests and trains its workforce. The updated Safeguards Rule explicitly requires testing the effectiveness of your safeguards, and phishing simulations are one of the most direct ways to demonstrate compliance.

Our phishing awareness training for organizations is designed specifically to help businesses build this kind of documented, measurable training program. You run the simulations, track who clicks, retrain those who need it, and build a paper trail that shows the FTC (or any regulator) that you take this seriously.

Zero Trust Isn't Just a Buzzword — It's Where the FTC Is Heading

If you read between the lines of recent FTC actions, you'll notice a clear trend toward zero trust principles. The agency doesn't use that term explicitly, but every enforcement action hammers the same themes: verify identity before granting access, limit access to what's needed, encrypt data at rest and in transit, and assume your perimeter will be breached.

The CISA Zero Trust Maturity Model provides a practical roadmap that aligns closely with what the FTC expects. If you adopt even the foundational tier of that model, you'll be ahead of most businesses the FTC investigates.

Specific zero trust practices that map to FTC expectations:

  • Identity verification: Multi-factor authentication for all systems containing consumer data
  • Least-privilege access: Employees can only access data they need for their specific role
  • Microsegmentation: If a threat actor compromises one system, they can't move laterally to everything else
  • Continuous monitoring: Log access to sensitive data and review those logs regularly
  • Encryption everywhere: At rest, in transit, no exceptions for "internal" data

Ransomware and the FTC: Your Breach Response Matters

Ransomware attacks have surged in 2023, and the FTC pays close attention to how businesses respond. The Health Breach Notification Rule, which the FTC expanded this year, now requires health apps and connected devices to notify consumers after a breach — including ransomware incidents where data may have been accessed.

But even outside healthcare, the FTC has made clear that how you respond to a data breach is part of the "reasonableness" calculation. Companies that tried to hide breaches — like CafePress — faced harsher penalties. Companies that had an incident response plan and followed it fared better.

Your incident response plan should include:

  • Who to contact immediately (internal team, legal counsel, law enforcement)
  • How to contain the breach technically
  • When and how to notify affected consumers
  • How to preserve evidence for investigation
  • Post-incident review to fix what failed

Five Steps to Meet FTC Cybersecurity Requirements Today

Here's the practical roadmap I give every organization I work with:

1. Conduct a Written Risk Assessment

Document every system that touches consumer data. Identify threats. Rate the likelihood and impact of each. This document is your foundation, and the FTC expects it to exist.

2. Implement Multi-Factor Authentication Everywhere

MFA on email. MFA on cloud storage. MFA on admin portals. The FTC has cited the absence of MFA in nearly every recent enforcement action. There's no excuse for skipping it in 2023.

3. Encrypt Consumer Data at Rest and in Transit

If you're storing Social Security numbers, payment card data, health information, or login credentials in plain text, you're handing the FTC its case on a silver platter. Encrypt everything.

4. Train Every Employee — and Document It

Annual training isn't enough. Quarterly phishing simulations, role-specific security training, and documented completion records are what the FTC wants to see. This is one of the most cost-effective ways to reduce your risk of both a breach and an enforcement action.

5. Build and Test Your Incident Response Plan

Write the plan. Run a tabletop exercise. Update it based on what you learn. The FTC doesn't just want to know you have a plan — they want evidence you've tested it.

The Personal Liability Angle Nobody Talks About

The Drizly case changed the game. For the first time, the FTC issued an order that followed a CEO personally — meaning the security requirements apply to him at any company he leads for the next 20 years. This wasn't a one-off signal. FTC Chair Lina Khan has publicly stated the agency intends to hold individual executives accountable for security failures.

If you're a founder, CEO, or CTO, this is personal now. The FTC isn't just coming for your company — they're coming for you. That should change how you prioritize cybersecurity spending, staffing, and training.

The Bottom Line: The FTC Is Watching, and They're Getting Faster

FTC cybersecurity requirements for businesses aren't theoretical. They're enforced through consent orders that last 20 years, fines that can reach millions, and now personal liability for executives. The agency has signaled clearly that 2023 and beyond will bring more aggressive enforcement.

The good news? Meeting these requirements isn't impossible. It starts with understanding what the FTC actually looks for — reasonable, documented, continuously tested security measures. Train your people. Encrypt your data. Control access. Have a plan for when things go wrong.

Your competitors might be gambling that they won't get caught. I've seen how that bet ends. It's expensive, it's public, and increasingly, it's personal.