Data Breaches: What the FTC Actually Expects

Understanding What Counts as a Data Breach

When most business owners hear "data breach," they imagine sophisticated hackers breaking through firewalls. The reality is far different—and more concerning. According to the FTC and NIST, a data breach encompasses any unauthorized access, use, or disclosure of personal information, regardless of how it happens.

A breach can occur through:

• Cyber attacks - Ransomware, malware, SQL injection, or credential stuffing
• Accidental exposure - Unencrypted files, misconfigured cloud buckets, or email sent to wrong recipients
• Physical theft - Lost laptops, stolen hard drives, or unattended documents
• Insider threats - Employees with legitimate access downloading or sharing data inappropriately
• Weak access controls - Shared passwords, default credentials, or inactive accounts still active
• Third-party compromise - Vendor or service provider breach affecting your data

Small businesses are increasingly targeted because they're perceived as easier marks. According to the 2024 Verizon Data Breach Investigations Report, small businesses accounted for over 60% of all breach victims. And yet many small business owners assume "we're too small to target"—a dangerous misconception.

The FTC Safeguards Rule: What You Actually Need to Do

The FTC Safeguards Rule (updated in 2023) applies to any business that maintains personal information about consumers or employees. This includes:

• Name and address
• Social security number
• Financial account information
• Credit or debit card numbers
• Health or medical information
• Passwords and security questions

The rule isn't prescriptive about exactly what controls to implement—but it's very clear about what you must demonstrate:

1. Information Security Program (ISP)

You must establish and maintain a comprehensive written program. This includes:

• A designated person responsible for your information security program
• Regular written assessments of your safeguards
• Documentation of your risk assessment methodology
• A plan that addresses identified risks

The FTC has cited businesses for having programs that existed only in theory. If you can't produce documentation, you're non-compliant.

2. Governance and Risk Assessment

You must:

• Identify what personal data you collect and where it's stored
• Assess the risks to that data
• Rate risks by likelihood and potential impact
• Document your methodology
• Review and update assessments at least annually

This is where most small businesses fail. They skip the documentation, thinking informal knowledge is enough. It isn't. When audited, if you can't show written assessment, you're assumed to have none.

3. Safeguards (The Actual Controls)

Based on your risk assessment, you must implement safeguards that address those risks. Common requirements include:

Access Controls:

• Role-based access (least privilege principle)
• Multi-factor authentication on sensitive systems
• Strong password requirements
• Removal of access when employees leave or change roles
• Monitoring of privileged account usage

Data Protection:

• Encryption of sensitive data at rest
• Encryption of data in transit
• Secure deletion/destruction of data when no longer needed
• Secure disposal of physical devices containing data

System Administration:

• Regular updates and patches
• Vulnerability scanning and remediation
• System hardening (removing unnecessary services)
• Inventory of hardware and software
• Secure configuration standards

Incident Detection and Response:

• Monitoring for unauthorized access attempts
• Logging of security events
• Incident response procedures
• Breach notification procedures

4. Training and Awareness

All employees must understand how to handle personal information. At minimum:

• Annual security awareness training
• Role-specific training (accountants, customer service, etc.)
• Documentation of training provided
• Testing or certification of understanding

The FTC has specifically cited companies for having training that existed on paper but wasn't actually conducted. Your employees need real, meaningful training—not checkbox exercises.

5. Third-Party Risk Management

You're responsible for the security of vendors who handle your data:

• Contracts requiring appropriate safeguards
• Due diligence before engaging vendors
• Ongoing monitoring of vendor security posture
• Incident notification requirements

This is increasingly important. The FTC has fined companies for breaches occurring at service providers they didn't adequately vet.

Real FTC Enforcement Actions: Learning from Others' Mistakes

AMG Services (2020): Fined $39.5 million for inadequate security, despite having a written security program. The program looked good on paper but wasn't actually implemented. There was no vulnerability assessment, no penetration testing, and inadequate access controls.

WhatsApp (2021): Fined $100 million for failing to protect user data properly. Despite resources, inadequate access controls allowed breaches.

Drizly (2022): Breach of 4.7 million users' data due to inadequate security measures despite having written safeguards.

Notice a pattern? It's not about having a perfect security system—it's about having a written plan, actually implementing it, and being able to demonstrate both when asked.

The Hidden Costs of a Breach

Beyond regulatory fines, a data breach costs:

• Notification costs: $5-15 per affected individual
• Credit monitoring: Required in most states (1-2 years minimum)
• Legal fees: $500,000-$2M+ for breach response and potential litigation
• Incident response: Forensics, remediation, system rebuilding
• Regulatory investigations: Attorney general inquiries, class action defense
• Lost business: Customer churn, damaged reputation
• Cyber liability insurance: Claims, increased premiums

The average cost of a data breach for a small business is $200,000-$300,000. For some, it's catastrophic.

How to Meet FTC Requirements

Start immediately:

1. Designate someone responsible for information security
2. Document what personal data you collect and where it lives
3. Conduct a written risk assessment
4. Based on risks identified, implement appropriate safeguards
5. Document your safeguards and who maintains them
6. Train all employees
7. Conduct quarterly reviews and updates
8. Test your defenses (penetration testing, mock phishing, etc.)

This doesn't require massive investment. It requires intentionality. Many small businesses can build a solid foundation with basic controls, documentation discipline, and annual reviews.

The Bottom Line

Data breaches aren't a question of if, but when. Your job as a business owner isn't to prevent every possible attack—it's to have a reasonable, documented system in place and to be able to prove you're managing the risks you know about.

The FTC's focus isn't on perfection. It's on evidence of a real program—written, implemented, and managed. When breaches happen (and they do), companies with documented safeguards and response procedures fare far better than those without.

Build your program now, when there's no crisis. You'll be glad you did.