Federal Trade Commission Proposes Order Against GoDaddy for Secur

Hunton Andrews Kurth’s Privacy and Cybersecurity

Email

212 309 1223 direct

Bio and Articles

Find Your Next Job !

Family/Matrimonial Law Attorney
On Balance Search Consultants

Associate Attorney – Family Law
The Micklin Law Group

Matrimonial Attorney
On Balance Search Consultants

Explore More Job Openings

FTC Issues Proposed Order Against GoDaddy and Provides Guidance on Security Practices

by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth - Privacy and Information Security Law Blog-Hunton Andrews Kurth

Friday, January 24, 2025

Print Mail Download info_icon_img

/>i

On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy Inc. and its operating subsidiary GoDaddy.com, LLC, (collectively, “GoDaddy”) for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.

According to the FTC’s complaint, GoDaddy failed to adopt reasonable and appropriate measures to protect certain portions of GoDaddy’s web hosting environment from unauthorized access.

The FTC alleged that GoDaddy’s unreasonable security practices l included failing to: inventory and manage computer assets and security-related software updates (i.e., patches); assess risks to its web hosting environment; adequately log and monitor security-related events in its web hosting environment; implement multi-factor authentication; segment its web hosting environment from less-secure portions of its network; and secure connections to application programming interfaces.

According to the FTC, GoDaddy’s data security failures resulted in several major compromises of its web hosting environment between 2019 and 2022 in which threat actors gained unauthorized access to certain GoDaddy customer websites and data. These incidents exposed consumers visiting the websites to risks, including redirection to malicious websites.

GoDaddy also allegedly misrepresented that it used reasonable and appropriate measures to protect its web hosting environment from unauthorized access and that it adhered to the EU-U.S. and/or Swiss-U.S. Privacy Shield Principles, including the Security Principle, which requires companies to use reasonable and appropriate measures to protect personal information.

The proposed order will: (1) prohibit GoDaddy from making misrepresentations about its security and the extent to which it complies with a privacy or security program; (2) require GoDaddy to establish and implement a comprehensive information security program that protects the security, confidentiality and integrity of its web hosting services; and (3) mandate that GoDaddy hire an independent third-party assessor to conduct an initial and biennial review of its information security program.

In the FTC’s guidance in light of the settlement, the agency highlights that customers of web hosting services should ask for information on the security practices employed and breaches experienced by web hosts, review FTC cybersecurity resources for small businesses, and report potential scams or cyberthreats to the FTC.