The Federal Trade Commission (FTC) has announced a settlement with GoDaddy, requiring the web hosting company to enhance its data security measures. This action comes after allegations that GoDaddy failed to protect its website-hosting services from potential attacks, which could harm both customers and visitors.

According to the FTC's complaint, since 2018, GoDaddy did not implement adequate security measures for its website-hosting environments. The company is also accused of misleading customers about the level of data security it provided.

In response, the FTC has proposed a settlement order mandating GoDaddy to establish a comprehensive data security program. This program is expected to align with those in other FTC cases, such as the recent Marriott International settlement.

"Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on," stated Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. "The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe."

GoDaddy Inc., based in Arizona along with its subsidiary GoDaddy.com, LLC, is one of the largest web hosting companies globally with around five million customers. The FTC's complaint highlights several deficiencies in GoDaddy's security practices including poor asset management and inadequate monitoring of security events.

Between 2019 and 2022, these shortcomings reportedly led to significant breaches where unauthorized access was gained to customer websites and data. Such incidents posed risks for consumers visiting these sites as they were redirected to malicious websites.

Furthermore, the FTC claims that GoDaddy misled customers by asserting compliance with privacy frameworks such as the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks while failing to take appropriate protective measures.

The proposed order will prevent GoDaddy from making false representations about its security practices in future communications. It will also require them to develop an information-security program ensuring confidentiality and integrity in their services. An independent third-party assessor will conduct initial and biennial reviews of this program.

The Commission unanimously voted 5-0 on issuing the administrative complaint and accepting the proposed consent agreement. Commissioner Melissa Holyoak agreed but dissented on Count III in the complaint.

A description of this consent agreement package will soon be published in the Federal Register for public comment over a period of 30 days before deciding if it becomes final. Instructions for submitting comments will be included in this notice.

Once finalized, any violation of this consent order may lead to civil penalties up to $51,744 per incident. Jarad Brown and David Walko from the FTC’s Bureau of Consumer Protection are leading this case.

The Federal Trade Commission aims at promoting competition while protecting consumer interests through education initiatives without demanding money or making threats against individuals or businesses.