On May 21, 2025, the Federal Trade Commission (FTC) finalized a consent order with GoDaddy to settle allegations that the web hosting company misled customers and failed to implement basic data security protections. Although GoDaddy promoted "award-winning security," according to the FTC, it lacked essential protections, including multi-factor authentication (MFA) for administrators, threat monitoring, and secure connections for sensitive data. These lapses led to multiple data breaches between 2019 and 2022, allowing hackers to gain unauthorized access to customer websites and data. The FTC also found that GoDaddy’s claims of being in compliance with privacy frameworks (like the EU-U.S. and Swiss-U.S. privacy shield frameworks) were deceptive.
Under the final order, GoDaddy is required to take several steps to improve security and transparency in its practices:
- GoDaddy is prohibited from misrepresenting its security measures or privacy program compliance. This includes falsely claiming certain certifications or advanced security measures.
- GoDaddy is required to implement a comprehensive information-security program to protect its hosting services, including measures like MFA, continuous monitoring, prompt software updates, and network segmentation.
- GoDaddy must hire an independent third-party assessor to review its security program every two years to ensure it meets the FTC’s standards and remains effective over time.
Implications for Businesses
The GoDaddy order closely follows an FTC settlement with Marriott International over similar issues, indicating a trend of aggressive enforcement. Strong cybersecurity governance for any business providing online services is becoming a non-negotiable obligation in the eyes of regulators. The FTC’s action against GoDaddy has broader lessons for companies of all sizes that handle customer data:
- Baseline Cybersecurity Measures are Mandatory: Regulators now see basics like MFA and monitoring as mandatory, not optional. Lacking these can be deemed "unreasonable security practices" and trigger enforcement.
- Security Marketing Demands Accuracy: The FTC will scrutinize all public claims (such as calling your security "world-class" without basis). Any inaccurate statements can be deemed deceptive.
- Breaches Invite Regulator Scrutiny: Even if initial fines are avoided, companies may face years of audits and hefty penalties for any future security lapses.
Recommended Actions for Businesses
In light of this development, companies should consider taking the following steps to strengthen their data security and compliance posture:
- Evaluate and Upgrade Security Measures:
- Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in your systems. All businesses should ensure they have baseline defenses in place before a breach occurs.
- Immediately address any gaps in access security (MFA and strong passwords), network monitoring, software update processes, and data encryption. These are the very areas the FTC identified in the GoDaddy case, and fixing them now will reduce risk.
- Implement a Formal Security Program:
- Develop a comprehensive written information-security program aligned with industry frameworks. Include regular risk assessments, incident response planning, and periodic third-party audits. A robust program not only improves security but also serves as evidence of due diligence if regulators inquire.
- Mandate Employee Cybersecurity Training:
- Ensure that all employees, especially those handling sensitive data, receive regular training on data security best practices, phishing awareness, and incident response protocols. These practices can help to create and maintain a security-conscious culture within the organization.
- Review Public Statements and Policies:
- Audit your website, marketing materials, and customer communications to ensure all statements about security and privacy are truthful.
- Update any outdated claims, such as references to non-current certifications, and avoid ambiguous assurances. It is better to explicitly state the protections that are in place rather than making unsubstantiated promises of "iron-clad security." Companies must exercise caution to avoid exaggerating their security practices.
- Be Proactive:
- Consider voluntarily adopting practices from FTC consent orders before they are required and keep up to date with evolving data security laws to remain ahead of enforcement. It is far more cost effective to strengthen security before regulators intervene.
By implementing these proactive measures, companies can greatly diminish the risk of security breaches that brought GoDaddy to the attention of the FTC. The core message of this enforcement action is clear: invest in robust data security now or face serious regulatory consequences later. Businesses that prioritize cybersecurity and honesty in their data practices will be far better positioned to earn customer trust and avoid legal pitfalls.
[View source.]
