In a proposed settlement order, FTC demanded that GoDaddy, within 90 days of finalizing the order, establish, implement, and thereafter maintain a comprehensive information security program.
The company is further required to document and regularly update its information security program, providing it to relevant governing bodies at least annually and after any significant security incident. It must designate a qualified employee to oversee this program and assess risks to security and confidentiality, updating their findings annually and after incidents.
GoDaddy was also asked to implement safeguards to mitigate risks, maintain system inventories, use automated tools for real-time security analysis, manage audit logs, and ensure secure authentication methods (MFA), with regular updates to align with industry standards and past incidents.
