FTC Data Security Enforcement Actions and Standards
The Federal Trade Commission exercises broad enforcement authority over data security practices affecting American consumers, drawing primarily on Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. This page describes the scope of FTC data security jurisdiction, the mechanics of enforcement actions, the types of organizations subject to scrutiny, and the standards used to distinguish compliant from non-compliant security postures. Professionals operating in privacy, compliance, and data protection roles encounter FTC enforcement as one of the most consequential regulatory frameworks in the US cybersecurity landscape.
Definition and scope
The FTC's authority over data security does not derive from a single comprehensive data protection statute but from the general prohibition on "unfair or deceptive acts or practices in or affecting commerce" under 15 U.S.C. § 45 (Section 5 of the FTC Act). Under the unfairness prong, a data security practice is actionable when it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits.
In addition to Section 5, the FTC administers two sector-specific frameworks that impose affirmative security requirements:
- The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule — Codified at 16 C.F.R. Part 314, this rule requires financial institutions under FTC jurisdiction to implement a written information security program containing administrative, technical, and physical safeguards. A 2023 amendment expanded the rule's scope to include non-bank mortgage lenders, auto dealers, tax preparers, and other financial service entities.
- The Health Breach Notification Rule — Codified at 16 C.F.R. Part 318, this rule requires vendors of personal health records and related entities not covered by HIPAA to notify consumers, the FTC, and in some cases media outlets following a breach of unsecured identifiable health information.
The FTC does not regulate entities that fall exclusively under other federal mandates — for instance, HIPAA-covered entities fall primarily under HHS/OCR jurisdiction, and telecommunications carriers face FCC oversight — but jurisdictional overlap does occur, particularly for health apps and financial technology companies.
How it works
FTC data security enforcement proceeds through a defined sequence of investigative and remedial stages:
- Complaint or referral intake — The FTC receives complaints through consumer reporting channels, monitors media coverage of breaches, and coordinates with other agencies. A significant percentage of investigations originate from public breach disclosures.
- Civil investigative demand (CID) — The FTC may issue a CID compelling document production, interrogatory responses, or testimony from a company under investigation, without initiating formal litigation.
- Staff investigation and proposed consent — FTC staff evaluate whether the company's security practices constitute an unfair or deceptive act. If staff determine a violation occurred, they typically negotiate a consent order before filing a complaint.
- Administrative complaint and consent order — The FTC issues a public complaint and simultaneously announces a proposed consent order. Consent orders require the company to implement a comprehensive information security program, submit to third-party assessments, and report compliance to the FTC for a period typically ranging from 10 to 20 years.
- Federal court action — For GLBA violations or violations of existing consent orders, the FTC may seek civil monetary penalties in federal district court. Penalties under the FTC Act for consent order violations can reach $51,744 per violation per day (FTC Penalty Adjustments, 16 C.F.R. § 1.98).
Third-party security assessors are a central compliance mechanism under consent orders. Assessors must be qualified, independent professionals who certify that the company's security program satisfies the order's requirements — a role that intersects directly with the professional landscape described in the data protection provider network.
Common scenarios
FTC enforcement actions cluster around identifiable failure patterns:
- Inadequate authentication controls — Enforcement actions such as In re Drizly, LLC (2022) cited failure to implement multi-factor authentication and to limit employee access to sensitive data as core deficiencies.
- Deceptive privacy representations — A company claims to encrypt consumer data or to employ "reasonable" security, but post-breach investigation reveals no encryption was applied to stored records. The deception prong of Section 5 applies even without actual consumer harm in all cases.
- Third-party vendor failures — The FTC has treated inadequate vendor oversight as an independent unfairness basis. Companies that transmit consumer data to third parties without contractual security requirements or without auditing those vendors face liability for downstream breaches.
- Failure to patch known vulnerabilities — In In re BJ's Wholesale Club and subsequent actions, failure to apply security patches within a reasonable timeframe — typically benchmarked against vendor-issued advisories — has been cited as a material deficiency.
- Consent order violations — Companies that have previously entered consent orders face significantly elevated exposure. Violations of existing orders are subject to civil penalty actions rather than new consent negotiations.
The is directly informed by these enforcement patterns, as compliance professionals and researchers use enforcement records to calibrate organizational security benchmarks.
Decision boundaries
The central analytical question in FTC data security enforcement is whether a company's security practices were "reasonable" given the sensitivity of data held, the size of the organization, and the cost of available safeguards — a standard the FTC has articulated in its Start with Security guidance (FTC, 2015) and reinforced through its LabMD, Inc. v. FTC litigation.
Key boundaries that determine enforcement exposure:
| Factor | Higher Enforcement Risk | Lower Enforcement Risk |
|---|---|---|
| Data sensitivity | Social Security numbers, health records, financial account data | Non-sensitive operational data |
| Breach scope | Millions of consumers affected | Isolated, contained incident |
| Prior notice | Known vulnerabilities left unaddressed | Novel, unforeseeable attack vector |
| Representations | Affirmative security claims in privacy policy | No specific security representations made |
| Consent order history | Active or prior consent order in place | No prior FTC action |
The contrast between Section 5 unfairness and deception matters operationally: an unfairness claim requires demonstrated or likely consumer harm, while a deception claim requires only a material misrepresentation that consumers would reasonably rely upon. A company that makes no explicit security claims but maintains demonstrably deficient practices is primarily exposed under the unfairness prong.
The Safeguards Rule under GLBA imposes prescriptive requirements — a designated qualified individual, a written risk assessment, encryption of customer information in transit and at rest, and an incident response plan — that differ from the flexible reasonableness standard of Section 5. Non-bank financial entities should treat GLBA Safeguards Rule compliance as a floor, not a ceiling, given that Section 5 enforcement can reach practices the rule does not explicitly address.
For researchers and compliance professionals mapping the full regulatory architecture, the data protection resource framework provides additional context on how enforcement standards interact with sector-specific obligations.