Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Federal Trade Commission Act Section 5 (Unfair or Deceptive Acts or Practices)
Section 5 of the Federal Trade Commission Act of 1914 (15 U.S.C. Section 45) declares 'unfair or deceptive acts or practices in or affecting commerce' unlawful and gives the Federal Trade Commission authority to investigate and prosecute them. The FTC's data security program has been built almost entirely on Section 5. The agency has used the 'unfair' prong against companies that failed to maintain reasonable security and the 'deceptive' prong against companies that made false or misleading statements in privacy notices, security marketing, or breach communications. The FTC publishes its data security cases and Start With Security guidance at ftc.gov. The FTC's authority under Section 5 reaches almost every commercial entity in the United States. Section 5(a)(2) exempts banks, savings and loan institutions, federal credit unions, common carriers subject to the Communications Act, air carriers, and certain meat-packing entities. Practically, almost every consumer-facing internet, retail, software, hardware, gaming, education, advertising, and healthcare-adjacent (non-HIPAA) business sits inside FTC Section 5 reach. The FTC operates alongside, not in place of, sector-specific federal regulators (HHS for HIPAA, OCC and FDIC for banking, SEC for public-company disclosures, CFPB for consumer finance) and the state attorneys general. The agency has brought more than 80 publicly resolved data security actions since the 2002 Eli Lilly settlement, the first formal data-security action under Section 5. Important precedents include FTC v. Wyndham Worldwide (the Third Circuit's 2015 decision confirming FTC's authority to challenge unreasonable data security as 'unfair'), LabMD v. FTC (the Eleventh Circuit's 2018 decision narrowing FTC remedial orders to specific conduct, not generic 'reasonableness'), and the 2022 settlements with Drizly (former Uber subsidiary) and Chegg. The Drizly action (Federal Trade Commission v. Drizly, LLC and James Cory Rellas, October 2022) required the company and named its chief executive personally in the order. The order requires the implementation of a comprehensive (in the FTC's own usage in the order, which we cite as quoted) information security program, destruction of unnecessary personal data, multi-factor authentication for cloud accounts, vulnerability disclosure, and a 10-year monitoring window. The CEO order binds Rellas at any future company over a 10-year period when he has authority over consumer data. The Chegg action (Federal Trade Commission, In the Matter of Chegg, Inc., 2022) followed four data breaches between 2017 and 2020 that exposed approximately 40 million accounts. The order required multi-factor authentication, encryption of personal data at rest, employee security training, data minimization, retention limits, and 20-year third-party assessment. The FTC's 2024 amendment to the Health Breach Notification Rule, the 2023 Notice of Proposed Rulemaking on Commercial Surveillance and Data Security (still pending as of mid-2026), and the 2024 Final Rule on Negative Option Marketing show the agency is also using rulemaking authority alongside Section 5. Civil penalties for violation of a consent order, a final rule, or a court order reach USD 53,088 per violation (2024 inflation-adjusted figure under 15 U.S.C. Section 45(m) and 16 CFR Section 1.98). The FTC's first-order Section 5 actions, by contrast, are typically resolved through equitable remedies (deletion, monitoring, mandated controls) and a 20-year monitoring period, not first-time fines.
Quick Reference
Key Requirements
15 U.S.C. Section 45(a)(1)
Do not engage in unfair or deceptive acts or practices in or affecting commerce. Privacy notices, security marketing, and breach communications must be truthful and not misleading.
15 U.S.C. Section 45(n) (Unfairness test)
Avoid practices that cause or are likely to cause substantial injury to consumers, that consumers cannot reasonably avoid, and that are not outweighed by benefits to consumers or competition. Document the cost-benefit analysis for any data practice with potential consumer harm.
FTC Start With Security (S1, Take stock)
Inventory personal data: what is collected, where it is stored, who has access, and how long it is retained. Maintain a data-flow map that auditors and the FTC can review.
FTC Start With Security (S2, Scale down)
Apply data minimization: collect only what is needed, keep it only as long as needed, and dispose of it securely. The 2022 Drizly order required destruction of unnecessary personal data as a remedy.
FTC Start With Security (S3, Lock it down)
Restrict access to personal data on a need-to-know basis. Use strong authentication, including multi-factor authentication for administrative and cloud accounts (a mandated control in the Drizly 2022 and Chegg 2022 orders).
FTC Start With Security (S4, Encryption)
Encrypt sensitive personal data at rest and in transit. Use validated cryptographic modules. The Chegg 2022 order mandates encryption of personal data at rest.
FTC Start With Security (S5, Segment networks)
Segment networks so that a compromise of one segment does not give access to all systems. Monitor traffic across segment boundaries. The Wyndham 2015 case turned in part on the absence of network segmentation across franchise systems.
FTC Start With Security (S6, Secure remote access)
Protect remote access with strong authentication and monitor for unauthorized use. Apply the principle to vendors with access to internal systems.
FTC Start With Security (S7, Apply sound security to products)
Build security into products from design. Test against known vulnerabilities before release. Maintain a coordinated vulnerability disclosure program.
FTC Start With Security (S8, Service providers)
Hold service providers to written security standards through contracts. Verify performance. The FTC has named processor weaknesses in multiple actions.
FTC Start With Security (S9, Update and patch)
Apply security patches in a timely manner. Maintain a written patch program with tracked service-level agreements. Use a vulnerability scanner and review findings.
FTC Start With Security (S10, Logging and monitoring)
Log security events and review them. Investigate anomalies. Multiple FTC actions have called out the absence of intrusion detection as an unfair practice.
FTC Start With Security (S11, Physical security)
Protect paper and physical media as carefully as digital data. Train staff on physical security and shred sensitive material.
FTC consent decree readiness (20-year clock)
If named in a Section 5 settlement, plan for a 20-year third-party assessment regime, mandated security program, breach notification obligations, executive certification, and the risk of civil penalties up to USD 53,088 per violation under 15 U.S.C. Section 45(m) for any future order breach.
FTC Section 6(b) inquiries
Respond on time to FTC Section 6(b) study orders and Civil Investigative Demands. Preserve documents and emails when an investigation opens. Engage counsel before submitting written responses to the agency.
How Does FTC Act Section 5 Affect Cybersecurity Careers?
FTC Section 5 is the baseline US federal cybersecurity enforcement standard for the commercial sector. Every CISO, GRC analyst, privacy engineer, and compliance auditor at a non-bank, non-carrier company in the United States needs working knowledge of the Start With Security guidance, the consent-order pattern, and the personal-liability risk after Drizly 2022. GRC analysts run the data inventory, the Start With Security gap assessment, the vendor risk program, and FTC investigation readiness (document preservation, 6(b) response, witness preparation). Privacy engineers build the consent flows, deletion pipelines, and encryption controls that map to the Start With Security checklist. Compared to GDPR, Section 5 is narrower in rights and broader in enforcement reach because the FTC sets case-by-case 'reasonableness' rather than prescriptive controls. Compared to CCPA, Section 5 is the federal floor while CCPA is a state ceiling. Compared to NIST CSF 2.0, Section 5 is enforceable while NIST CSF 2.0 is voluntary guidance, so most US programs use NIST CSF 2.0 as the control backbone and Section 5 plus state laws as the legal layer. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers Section 5, Start With Security, and the major consent orders (Wyndham, LabMD, Drizly, Chegg) as the United States federal enforcement module.
How Does FTC Act Section 5 Affect Cybersecurity Sales?
Cybersecurity vendors can ground sales conversations in named FTC consent orders. The Drizly 2022 order mandates multi-factor authentication for cloud and administrative accounts, deletion of unnecessary personal data, a written security program, employee training, third-party assessment, and personal CEO liability. The Chegg 2022 order mandates encryption of personal data at rest, multi-factor authentication, data minimization, and retention limits. These orders are checklists that map to identity and access management products, encryption at rest products, data discovery and minimization platforms, vulnerability management programs, MDR offerings, vendor risk software, and security training platforms. Vendors selling into US commercial buyers benefit from naming the orders and the dollar figures (USD 53,088 per violation in 2024) when calibrating buyer urgency.
Cybersecurity Roles That Work With FTC Act Section 5
Related Cybersecurity Certifications
Related Cybersecurity Laws
Read the full text of FTC Act Section 5 at the official source: https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act
Frequently Asked Questions
What is FTC Act Section 5 in cybersecurity?
Section 5 of the Federal Trade Commission Act of 1914 (15 U.S.C. Section 45) declares 'unfair or deceptive acts or practices in or affecting commerce' unlawful and gives the Federal Trade Commission authority to investigate and prosecute them. The FTC's data security program has been built almost entirely on Section 5. The agency has used the 'unfair' prong against companies that failed to maintain reasonable security and the 'deceptive' prong against companies that made false or misleading statements in privacy notices, security marketing, or breach communications. The FTC publishes its data security cases and Start With Security guidance at ftc.gov. The FTC's authority under Section 5 reaches almost every commercial entity in the United States. Section 5(a)(2) exempts banks, savings and loan institutions, federal credit unions, common carriers subject to the Communications Act, air carriers, and certain meat-packing entities. Practically, almost every consumer-facing internet, retail, software, hardware, gaming, education, advertising, and healthcare-adjacent (non-HIPAA) business sits inside FTC Section 5 reach. The FTC operates alongside, not in place of, sector-specific federal regulators (HHS for HIPAA, OCC and FDIC for banking, SEC for public-company disclosures, CFPB for consumer finance) and the state attorneys general. The agency has brought more than 80 publicly resolved data security actions since the 2002 Eli Lilly settlement, the first formal data-security action under Section 5. Important precedents include FTC v. Wyndham Worldwide (the Third Circuit's 2015 decision confirming FTC's authority to challenge unreasonable data security as 'unfair'), LabMD v. FTC (the Eleventh Circuit's 2018 decision narrowing FTC remedial orders to specific conduct, not generic 'reasonableness'), and the 2022 settlements with Drizly (former Uber subsidiary) and Chegg. The Drizly action (Federal Trade Commission v. Drizly, LLC and James Cory Rellas, October 2022) required the company and named its chief executive personally in the order. The order requires the implementation of a comprehensive (in the FTC's own usage in the order, which we cite as quoted) information security program, destruction of unnecessary personal data, multi-factor authentication for cloud accounts, vulnerability disclosure, and a 10-year monitoring window. The CEO order binds Rellas at any future company over a 10-year period when he has authority over consumer data. The Chegg action (Federal Trade Commission, In the Matter of Chegg, Inc., 2022) followed four data breaches between 2017 and 2020 that exposed approximately 40 million accounts. The order required multi-factor authentication, encryption of personal data at rest, employee security training, data minimization, retention limits, and 20-year third-party assessment. The FTC's 2024 amendment to the Health Breach Notification Rule, the 2023 Notice of Proposed Rulemaking on Commercial Surveillance and Data Security (still pending as of mid-2026), and the 2024 Final Rule on Negative Option Marketing show the agency is also using rulemaking authority alongside Section 5. Civil penalties for violation of a consent order, a final rule, or a court order reach USD 53,088 per violation (2024 inflation-adjusted figure under 15 U.S.C. Section 45(m) and 16 CFR Section 1.98). The FTC's first-order Section 5 actions, by contrast, are typically resolved through equitable remedies (deletion, monitoring, mandated controls) and a 20-year monitoring period, not first-time fines.
How does FTC Act Section 5 affect cybersecurity careers?
FTC Section 5 is the baseline US federal cybersecurity enforcement standard for the commercial sector. Every CISO, GRC analyst, privacy engineer, and compliance auditor at a non-bank, non-carrier company in the United States needs working knowledge of the Start With Security guidance, the consent-order pattern, and the personal-liability risk after Drizly 2022. GRC analysts run the data inventory, the Start With Security gap assessment, the vendor risk program, and FTC investigation readiness (document preservation, 6(b) response, witness preparation). Privacy engineers build the consent flows, deletion pipelines, and encryption controls that map to the Start With Security checklist. Compared to GDPR, Section 5 is narrower in rights and broader in enforcement reach because the FTC sets case-by-case 'reasonableness' rather than prescriptive controls. Compared to CCPA, Section 5 is the federal floor while CCPA is a state ceiling. Compared to NIST CSF 2.0, Section 5 is enforceable while NIST CSF 2.0 is voluntary guidance, so most US programs use NIST CSF 2.0 as the control backbone and Section 5 plus state laws as the legal layer. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers Section 5, Start With Security, and the major consent orders (Wyndham, LabMD, Drizly, Chegg) as the United States federal enforcement module.
What are the penalties for FTC Act Section 5 non-compliance?
First-order Section 5 violations are typically resolved by equitable remedies (deletion of data, mandated security program, 20-year third-party assessment) without civil monetary penalties because AMG Capital Management v. FTC (2021) eliminated Section 13(b) monetary equitable relief. Civil monetary penalties under 15 U.S.C. Section 45(m) apply to violations of consent orders, trade-regulation rules, and final court orders, at USD 53,088 per violation (2024 inflation-adjusted under 16 CFR 1.98). Personal liability has been imposed on named officers (Drizly 2022).
Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Explore Related Cybersecurity Resources
Was this page helpful?
Cybersecurity law and regulation summaries are educational plain-language descriptions, not legal advice. Statutes, regulations, and enforcement guidance change frequently. Consult qualified legal counsel and verify against the official published text before relying on any summary for compliance or career decisions.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.