On January 15, 2025, the Federal Trade Commission (FTC) announced a proposed settlement with GoDaddy Inc. (GoDaddy) for making false or misleading representations about their security practices in violation of Section 5 of the FTC Act.
GoDaddy, a website hosting company, serves approximately 5 million customers. In the complaint, the FTC indicated that although GoDaddy had marketed itself as a secure choice for customers to host their websites, their “data security program was unreasonable for a company of its size and complexity.” The FTC further stated that GoDaddy was “blind to vulnerabilities and threats in its hosting environment” despite marketing itself as a “secure choice for customers to host their websites, touting its commitment to data security and careful threat monitoring practices in multiple locations, including its main website for hosting services, its ‘Trust Center,’ and in email and online marketing.”
The FTC listed numerous examples of GoDaddy’s improper security practices in the complaint. Some of these examples included failing to:
- Inventory and manage assets;
- Manage software updates;
- Assess risks to its website hosting services;
- Implement multi-factor authentication (MFA);
- Log security-related events;
- Monitor for security threats, including failing to use software that could actively detect threats, and failing to use file integrity monitoring;
- Segment its network; and
- Secure connections to services that provide access to consumer data.
The proposed settlement lists a plethora of cybersecurity injunctive relief provisions that GoDaddy must adhere to within the coming months. A number of the requirements are fairly standard and have been included in past FTC cybersecurity settlements, such as establishing, implementing, and maintaining a comprehensive information security program and report to GoDaddy’s board of directors (or equivalent governing body) on the information security program, any material evaluations thereof or material updates at least once every 12 months and promptly (not to exceed 120 days) following a security incident. Other cybersecurity requirements are, however, unique and quite prescriptive. For example, GoDaddy is required to:
- Asset and software inventory. Within 90 days, GoDaddy must implement, maintain, and document “centralized system component inventories, including of hardware, software, and firmware elements, that track out-of-date and vulnerable versions[A&B1] of each Respondent-managed software program, operating system file, and firmware that is installed on any tracked asset, and create an alert for each asset that is using an out-of-date or vulnerable version.” Maintaining an up-to-date asset and software inventory requires significant ongoing resources, as well mature processes to ensure no asset slips through the cracks (including any “bring your own” personal devices, if GoDaddy permits personal devices) and is not tracked.
- End-of-life assets. On the theme of tracking assets, within 180 days, GoDaddy must disconnect all assets with software that is no longer supported (i.e., “end-of-life”) to minimize the number of vulnerabilities within GoDaddy’s environment. GoDaddy may temporarily retain assets that are end-of-life if disconnection is infeasible and mitigating controls are implemented.
- Phishing resistant MFA. Also, within 180 days, GoDaddy must implement phishing resistant MFA for employees, contractors, and third-party affiliates accessing GoDaddy’s “Hosting Service” which includes any service GoDaddy advertises, promotes, offers for sale, sells, or otherwise provides to customers in the U.S. for the purpose of providing customer access to computer equipment or storage to host websites. Expressly excluded as an MFA method is telephone calls or SMS-based authentication methods. This aligns with other regulators, such as the New York Department of Financial Services (NYDFS), who are also pushing more secure forms of MFA. (See NYDFS’ guidance on AI related cybersecurity risks).
- The FTC also requires GoDaddy to provide at least one MFA method for customers, or a widely-adopted industry authentication option that provides at least equivalent security, as an option for customers. The MFA method cannot require customers provide their telephone number.
- Secure APIs. GoDaddy must also secure any application programming interface (API) that provides access to any Hosting Service configuration or administration or “Covered Information” (which is generally defined to included information collected by GoDaddy from or about an individual consumer). GoDaddy must, at a minimum, require secure connections to the API, such as by the use of HTTPS, require a secure authentication method that protects the authenticity of the session level and protects against session hijacking and the insertion of false information into sessions, implement rate-limiting, and monitor inbound and outbound API communications traffic to detect for potential cybersecurity attacks.
- Independent third-party assessment. GoDaddy must obtain initial and biennial assessments (for the next 20 years) of GoDaddy’s information security program and any documents relevant to the assessments must be provided to the FTC within 10 days following receipt of a written request from the FTC. The assessments must assess GoDaddy’s compliance with the injunctive relief requirements in the proposed settlements, the effectiveness of GoDaddy’s controls to comply with the prescriptive requirements in the proposed settlements, any gaps or weaknesses, and how GoDaddy will address the gaps or weaknesses. Importantly, the assessments cannot rely primarily on assertions or attestations by GoDaddy’s management; GoDaddy must provide artifacts of compliance.
The FTC’s proposed settlement emphasizes the need for proper security within a company. Further, companies should ensure they are not misrepresenting the confidence of their security system to consumers.
