FTC Data Security Enforcement Actions and Standards

The Federal Trade Commission's data security enforcement program represents one of the most consequential regulatory frameworks governing private-sector data handling in the United States. Operating primarily under Section 5 of the FTC Act, the agency pursues organizations whose security practices fall below a reasonable standard — translating that broadly worded statute into a body of consent orders, complaints, and binding standards. This page covers the scope of FTC enforcement authority, the procedural mechanics of enforcement actions, the categories of conduct most frequently targeted, and the analytical boundaries that determine when enforcement is triggered.

Definition and scope

The FTC's data security authority derives principally from Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits "unfair or deceptive acts or practices in or affecting commerce." The agency treats inadequate data security as an unfair practice when it causes, or is likely to cause, substantial consumer injury that consumers themselves cannot reasonably avoid. This framing does not require a specific federal data security statute for most industries — the general prohibition is sufficient.

Beyond the FTC Act, two sector-specific statutes extend the agency's reach with more prescriptive requirements. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement safeguards programs under the FTC's Safeguards Rule, which was substantially revised in 2021 and took full effect in June 2023 per FTC rulemaking. The Children's Online Privacy Protection Act (COPPA), enforced exclusively by the FTC, imposes heightened data security obligations on operators collecting personal information from children under 13. The intersection of these frameworks with COPPA's children's data protection standards creates one of the FTC's most actively litigated enforcement areas.

The FTC lacks jurisdiction over most banks, credit unions, common carriers, and nonprofit organizations, placing those entities under other federal regulators. Within its jurisdiction, the agency covers a wide commercial footprint — retail, technology, healthcare (outside HIPAA-covered entities), and the financial sector broadly defined.

How it works

FTC enforcement actions follow a structured procedural sequence:

1. Investigation initiation — Staff open an investigation based on a data breach notification, consumer complaint, media report, or referral from another agency. No formal filing is required at this stage.
2. Civil investigative demand (CID) — The agency may issue CIDs compelling document production, interrogatory responses, or testimony from the target organization or third parties.
3. Complaint and proposed consent order — When investigation reveals actionable violations, the Bureau of Consumer Protection presents a proposed complaint and consent agreement to the full Commission for a vote. If a majority votes to authorize, the complaint is filed simultaneously with a proposed order.
4. Public comment period — Proposed consent orders are published in the Federal Register and open for public comment, typically for 30 days, before the Commission issues a final order.
5. Final order and compliance monitoring — Final orders typically run for 20 years and impose substantive security program requirements, biennial assessments by qualified third parties, incident reporting obligations, and recordkeeping mandates.
6. Contempt or civil penalty proceedings — Violations of a final order expose the respondent to civil penalties of up to $51,744 per violation per day (as adjusted for inflation under FTC penalty authority, 16 C.F.R. § 1.98).

The FTC does not set a single prescriptive technical standard in most Section 5 cases. Instead, complaints and orders describe the specific practices alleged to be unreasonable — failure to encrypt, use of default credentials, inadequate access controls — allowing the body of orders to function collectively as de facto industry benchmarks. The NIST Cybersecurity Framework is frequently referenced in FTC guidance as an indicative standard, though not mandated by statute.

Common scenarios

The FTC's published complaints and orders identify recurring fact patterns across enforcement history:

• Inadequate authentication controls — Allowing weak or default passwords on administrative accounts or consumer-facing systems, as seen in the 2022 action against Drizly.
• Failure to encrypt sensitive data — Storing Social Security numbers, financial account data, or health information in plaintext or with deprecated encryption protocols.
• Deceptive security representations — Claiming compliance with specific frameworks (ISO 27001, SOC 2) or asserting "bank-level" security while maintaining materially deficient controls.
• Third-party vendor oversight failures — Granting excessive access to service providers without contractual security requirements or monitoring, relevant to the third-party vendor data security compliance landscape.
• Inadequate incident response — Failure to detect, contain, or notify regulators and consumers following a breach in a timeframe consistent with data breach notification requirements.
• COPPA security violations — Collecting geolocation data, voice recordings, or persistent identifiers from children without implementing data minimization or deletion practices aligned with data minimization principles.

Decision boundaries

The distinction between an FTC enforcement target and a compliant organization is not binary — it depends on a risk-proportionality analysis applied to specific facts. The Commission's "reasonable security" standard incorporates four principal variables:

• Sensitivity of data held — Organizations holding medical records, financial credentials, or government identifiers face higher scrutiny than those holding only email addresses. Sensitive data categories trigger elevated expectations.
• Scale and resources — A 500-person company managing consumer financial records is held to a different baseline than a two-person startup, though the FTC has brought actions against small operators where data sensitivity was extreme.
• Representations made — Organizations that make affirmative security claims — in privacy policies, marketing materials, or certification displays — face deceptive practices liability when those claims are false, independent of whether the underlying practice was unreasonable.
• Industry baseline at time of conduct — The FTC compares challenged practices against prevailing professional standards documented by bodies such as NIST and the Center for Internet Security (CIS). Failure to implement controls widely adopted by comparable entities weighs toward a finding of unreasonableness.

Section 5 enforcement is distinguished from GLBA Safeguards Rule enforcement by the specificity of required controls. Under the revised Safeguards Rule, covered financial institutions must designate a qualified individual responsible for the security program, conduct risk assessments, implement multi-factor authentication, encrypt customer information in transit and at rest, and maintain a written incident response plan — obligations that are codified rather than inferred from case law. A financial institution that satisfies the Safeguards Rule's enumerated requirements may still face Section 5 liability if its broader security posture causes consumer harm outside the Safeguards Rule's scope.

The data protection penalties and enforcement landscape further distinguishes between first-time consent order proceedings, which typically do not carry civil monetary penalties, and subsequent order violations, which do. The FTC's 2022 enforcement action against CafePress resulted in a $500,000 civil penalty — a figure that signals the agency's willingness to seek monetary relief in cases involving prior notice or egregious concealment.

References

• Federal Trade Commission Act, Section 5 (15 U.S.C. § 45)
• FTC Safeguards Rule, Final Rule 2021 (16 C.F.R. Part 314)
• FTC Safeguards Rule Final Rulemaking Document (2021)
• Gramm-Leach-Bliley Act — FTC Legal Library
• Children's Online Privacy Protection Act (COPPA) — FTC Legal Library
• FTC Civil Penalty Adjustments, 16 C.F.R. § 1.98
• FTC v. Drizly, LLC — Case Record
• FTC v. CafePress — Case Record
• [NIST Cybersecurity Framework — NIST CSRC](https://csrc.nist.