The Federal Trade Commission (FTC) issued a proposed settlement order against GoDaddy alleging that it “has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.”

The proposed settlement order requires GoDaddy “to establish a comprehensive data security program that is similar to those in other FTC cases, including the recent settlement with Marriott International.”

The complaint alleged that GoDaddy had unreasonable security measures, including “failing to inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments.” These data security failures caused several “major security breaches between 2019 and 2022.”

The order prohibits GoDaddy from misrepresenting its security practices, and requires it to establish and implement a comprehensive security program to be reviewed by an independent third-party assessor.