Registrar and web hosting firm GoDaddy was ordered by the Federal Trade Commission to step up its data security practices or face harsh consequences.
The FTC’s proposed order would put a number of strict security compliance requirements on the company. The commission voted 5-0 to approve the proposed settlement and end its complaint against GoDaddy.
“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”
The deal would settle a complaint the FTC had originally filed against GoDaddy after it found the company’s handling of data and security to be woefully inadequate dating as far back as 2018.
“GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments,” the commission said of its findings.
The FTC is not the first organization to call out GoDaddy for its poor security practices. The host has incurred a number of data breaches, most notably one in 2022 in which the company was sharply criticized by security experts for not only failing to secure its network, but also what many viewed as a lax response in discovering and reporting the incident to customers and regulators.
Among the measures GoDaddy will be required to take under the order are setting up and maintaining a security program that will better monitor and catalogue its security assets, settings, and policies.
Additionally, GoDaddy will need to hire a third-party security provider to conduct regular assessments. The company will also be barred from misrepresenting to customers what it can do to monitor and secure their data.
The settlement does not require any admission of wrongdoing and there is no mention of any cash penalty. Should GoDaddy be found in violation of the order, however, it could face steep fines from the FTC.
