On May 21, 2025, The Federal Trade Commission ("FTC") finalized a decision and order against GoDaddy Inc. and its subsidiary, GoDaddy.com, LLC ("GoDaddy"), after finding that the company failed to implement fundamental data security protections despite representing to customers that it provided secure, reliable website hosting.
According to the FTC complaint, GoDaddy violated Section 5 of the FTC Act by failing to implement standard security tools and practices necessary to protect the environment in which it hosts customer websites and data. Specifically, GoDaddy did not inventory and manage its assets, manage software updates, or assess risks to its hosting services. It failed to deploy multi-factor authentication, did not log or monitor security-related events effectively, and lacked critical tools such as file integrity monitoring and software that could detect threats from system logs. Additionally, GoDaddy did not segment its network to contain potential intrusions, nor did it adequately secure connections to services that provide access to consumer data. These failures made GoDaddy's representations about its data security practices false or misleading.
These failures resulted in a series of data breaches between 2019 and 2022, allowing malicious actors to gain unauthorized access to customer websites and sensitive data. In response, the FTC's order requires GoDaddy to implement a comprehensive information security program, submit to independent third-party assessments, and refrain from misrepresenting its data protection practices in the future.
This case underscores an important point: data security is not just a technical issue but a core compliance and risk management concern. Businesses should ensure that their cybersecurity infrastructure is not only up to date, but also capable of detecting, responding to, and mitigating threats in real time.
Some best practices for data security include:
- Regularly assessing risks to digital services and infrastructure
- Maintaining a complete inventory of assets and updating software promptly
- Using multi-factor authentication and segmenting networks
- Implementing real-time monitoring and logging of security events, with tools capable of detecting suspicious activity
- Accurately representing security capabilities to customers and stakeholders
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
