Peter A Clarke

The Federal Trade Commission (the “FTC”) is the prime regulator of privacy related issues involving companies and agencies in the United States. It has been quite successful in obtaining settlements from large companies such as Facebook. The invariable way of attracting jurisdiction is a claim by a company that is misleading about what it does with information or its data security. And that is what happened with GoDaddy. GoDaddy claimed to have provided “award winning security”. But it didn’t. Didn’t to the point that it failed to implement standard security tools and practices. Worse, it suffered security breaches between 2019 and 2022 involving access to customer’s website and data. The FTC commenced proceedings in January this year and GoDaddy entered into an order with the FTC last week.

Features of the order are that:

• within 90 days after the effective date GoDaddy must “..establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Hosting Service and Covered Information”. That includes:
  • Document in writing the content, implementation, and maintenance of the Information Security Program
  • Provide the written program and any material evaluations/ material updates  to boards of directors/ a relevant committee thereof/ governing bodies / a senior officer  responsible for that ’s Information Security Program at least once every 12 months and promptly (not to exceed 120 days) following an Incident
  • Designate a qualified employee to coordinate and be responsible for the Information Security Program
  • Assess and document, and update at least once every 12 months and promptly (not to exceed 120 days) following an Incident, internal and external risks to the security, confidentiality, or integrity of any Hosting Service or Information that could result in
    • (1) unauthorized access to any Hosting Service;
    • (2) the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, the Information; or the (
    • 3) misuse, loss, theft, alteration, destruction, or other compromise of such information. 
  • Design, implement, maintain, and document safeguards that control for the internal and external risks, identify to the security, confidentiality, or integrity of any Hosting Service or  Information. Each safeguard must be based on the volume and sensitivity of the Information that is at risk, and the likelihood that the risk could be realized and result in:

    • unauthorized access to any Hosting Service;

    • the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or the

    • misuse, loss, theft, alteration, destruction, or other compromise of such information.

• set up the following measures within:
  • 90 days,
    • Implement and maintain centralized system component inventories, that track the out-of-date and vulnerable versions of software programs, operating system file, and firmware that is installed on any tracked asset, and create an alert for each asset that is using an out-of-date or vulnerable version;
    • Employ automated tools and mechanisms, such as a security incident and event manager (“SIEM”) or equivalent program, to support near real-time analysis of events;
    • Create and retain system audit logs and records collected by Respondents to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    • Require that all logins by employees, contractors, and third-party affiliates  secure shell (“SSH”) to be authenticated using:
      • a method, such as certificates or public/private key pairs, in which at least one component of the credential transmitted to the relying party is not static across multiple authentications, unless such credential is short-lived.or
      • use widely-adopted industry authentication options that provide at least equivalent security
  • 180 days:
    • Disconnect from the Hosting Service environment all hardware assets with software installed that is no longer supported by a vendor or other party through the provision of software updates or patches to address vulnerabilities, such as software that is considered end-of-life, or, if disconnection is infeasible, temporarily implement appropriate controls to mitigate threats and document a plan to disconnect the asset or software that includes an appropriate timeline
    • Use technical measures to detect and prevent anomalous changes to  critical operating system and application files by comparing such files to known baselines, such as file hash values, or, where such baselines are not available, by relying on methods such as non-signature-based technologies, including techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective.
    • Require at least one multi-factor authentication method, or widely-adopted industry authentication option that provides at least equivalent security, be provided as an option for customers to authenticate into any developed Hosting Service administration tool or database, excluding any SSH or machine-to-machine-only interface, such as an application programming interface (“API”), that does not support multi-factor authentication, including offering customers at least one method that does not require the customer to provide a telephone number, such as by integrating authentication applications or allowing the use of security keys.
    • Protect any API  that provides access to any Hosting Service configuration or administration or Covered Information
• Assess, at least once every 12 months and promptly (not to exceed 120 days) following an  Incident: the sufficiency of any safeguards and security measures in place to address the internal and external risks to the security, confidentiality, or integrity of Hosting Services and Covered Information, and modify the Information Security Program as needed based on the results;
• Test and monitor the effectiveness of the safeguards and security measures at least once every 12 months and promptly (not to exceed 120 days) following an Incident
• Select and retain service providers capable of safeguarding Hosting Services and Information and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Hosting Services and such  Information
• Evaluate and adjust the Information Security Program as needed in light of any changes to operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks
• biennial assessments from a qualified, objective, independent third-party professional (“Assessor”), who:
  • uses procedures and standards generally accepted in the profession;
  • conducts an independent review of the Information Security Program;
  • designates all documents relevant to each Assessment for retention for 5 years after completion of such Assessment, and
  • provides any such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission.
• undertake annual certification that:
  • it has established, implemented, and maintained the requirements of this Order;
  • it is not aware of any material noncompliance that has not been
    • (a) corrected or
    • (b) disclosed to the FTC; and
  • includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior executive officer or any senior corporate manager, senior officer, or subject matter experts upon whom the senior executive officer relies in making the certification
• report an incident within 10 days after it is noticed with:
  • The date, estimated date, or estimated date range when the Incident occurred;
  • A description of the facts relating to the Incident, including the causes, if known;
  • A description of each type of information that was affected by the Incident
  • The number of consumers or businesses whose information, account, or website was affected by the Incident
  • The acts has taken to date to remediate the Incident and protect Hosting Services and  Information from further exposure or access, and protect affected individuals and businesses from identity theft or other harm that may result from the Incident; and
  • A representative copy of any materially different notice to consumers or businesses or to any U.S. federal, state, or local government entity
• the order last for 20 years.
• it needs to create records for 5 years including:
  • accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss
  • personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination
  • records of all written or electronic consumer complaints stored in any applicable system of record, in connection with Hosting Services, concerning information security, data privacy, or any privacy or security program sponsored by a government or self-regulatory or standard-setting organization
  • a copy of each materially different advertisement or other marketing material making a representation subject to this Order
  • a copy of each widely disseminated, materially different representation that describes the extent to which it maintain or protect the privacy, security and confidentiality of any Hosting Services and Covered Information, including any representation concerning a change in any service that relates to the privacy, security, and confidentiality of any Hosting Service or Covered Information
• within 10 days of a written request from the FTC it must submit additional compliance reports and make available anyone for interview

The FTC orders are much more comprehensive and onerous than those in Australia. They are more comprehensive than the UK’s version as well.  They are also structured quite differently.  However there are some aspects to these orders which are quite useful to apply in the Australian context.  It is also a good insight into what organisations should do to maintain proper cybersecurity.  In many ways FTC orders set out in detail what organisations should do to properly maintain cyber security. 

The media release provides:

The Federal Trade Commission will require web hosting company GoDaddy to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.

In its proposed settlement order, the FTC is requiring GoDaddy to establish a comprehensive data security program that is similar to those in other FTC cases, including the recent settlement with Marriott International.

“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”

Arizona-based GoDaddy Inc. and its operating subsidiary GoDaddy.com, LLC make up one of the world’s largest web hosting companies, with approximately five million web hosting customers.

GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the FTC’s complaint.

The FTC says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data. These breaches exposed consumers visiting the websites to risks, including that consumers were redirected to malicious websites.

Additionally, the FTC alleges that GoDaddy misled customers, through claims on its websites and in email and social media ads, by representing that it deployed reasonable security and that it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which require companies to take reasonable and appropriate measures to protect personal information.

Proposed Order Requirements

The FTC’s proposed order will prohibit GoDaddy from misleading its customers about its security practices in the future and ensure that it has reasonable security going forward.

The order will:

• • Prohibit GoDaddy from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks;
  • Require GoDaddy to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and
  • Mandate that GoDaddy hire an independent third-party assessor who conducts an initial and biennial review of its information-security program.