FTC requires GoDaddy to beef up security

The Federal Trade Commission has reported it will require web hosting company GoDaddy Inc and GoDaddy.com, LLC to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services. GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the complaint. The Commission says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data.

In its proposed settlement order, the FTC will:

Prohibit GoDaddy from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks;

Require GoDaddy to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and

Mandate that GoDaddy hire an independent third-party assessor who conducts an initial and biennial review of its information-security program.