In the proposed settlement order, the FTC required that GoDaddy, within 90 days of finalizing the order, establish, implement, and thereafter maintain a comprehensive information security plan.
The company is also required to write and regularly review its information security plan, providing it to the relevant governing bodies at least annually and after any significant security incident. It must appoint a qualified staff member to oversee the program and assess security and confidentiality risks, reviewing their findings annually and after incidents.
GoDaddy was also required to implement security measures to mitigate risks, maintain program inventory, use automated real-time security analysis tools, manage audit logs, and ensure secure authentication (MFA) methods, with regular updates to conform to industry standards and past incidents.
Source link