FTC Targets Small Businesses in New Data Security Enforcement Wave — Companies Under 100 Employees Now in Scope
The Federal Trade Commission announced a new enforcement initiative specifically targeting small businesses with fewer than 100 employees that collect consumer data without adequate security practices. The FTC has opened 23 investigations against small businesses in Q1 2026 alone. Here is what every small business needs to know.
The FTC’s New Small Business Focus
The Federal Trade Commission announced in April 2026 that it is expanding its data security enforcement program to specifically target small businesses with fewer than 100 employees. The FTC’s Bureau of Consumer Protection stated that small businesses collectively handle enormous amounts of consumer data and that inadequate security at small businesses creates systemic risk to consumers. The FTC opened 23 investigations against small businesses in Q1 2026, compared to 6 in all of 2024. The agency has made clear that it views basic cybersecurity hygiene as a legal obligation for any business that collects consumer data, regardless of size.
What the FTC Considers Reasonable Security for Small Businesses
The FTC does not require small businesses to implement enterprise-grade security programs. However, its enforcement actions and guidance documents establish a clear baseline of what it considers reasonable. For small businesses, the FTC expects: a basic inventory of what personal data you collect and where it is stored; access controls that limit who can access customer data; MFA on systems that store or access customer data; encryption of sensitive data at rest and in transit; a process for applying security updates to software and systems; employee training on basic security practices; and a plan for responding to a data breach. Businesses that cannot demonstrate these basic controls face significant enforcement risk.
Recent Enforcement Actions Against Small Businesses
Several recent FTC enforcement actions illustrate the agency’s current priorities for small businesses. In February 2026, the FTC reached a settlement with a small dental practice that experienced a breach exposing 12,000 patient records. The FTC found that the practice had no MFA on its patient management system, had not applied security updates for over a year, and had no breach response plan. The settlement required the practice to implement a comprehensive security program and submit to third-party security assessments for five years. In March 2026, a small e-commerce retailer agreed to a $125,000 penalty after a breach exposed customer payment card data that was stored in plain text.
Practical Steps for Small Business Owners
Small business owners should take the following steps to reduce FTC enforcement risk. First, conduct a data inventory: document what customer data you collect, where it is stored, and who has access to it. Second, implement MFA on all systems that store customer data, including your website backend, CRM, email marketing platform, and point-of-sale system. Third, ensure your website and all software are kept up to date with security patches. Fourth, write a simple data security policy and train your employees on it. Fifth, have a plan for what you will do if you experience a data breach, including how you will notify affected customers. Segler.Net can help small businesses implement these controls efficiently and cost-effectively.
- If you collect customer names, emails, phone numbers, or payment data, the FTC’s data security standards apply to you
- Conduct and document a basic security risk assessment — this is the FTC’s baseline expectation
- Implement MFA on all systems that store customer data — the FTC is citing this as a baseline requirement
- Have a written data security policy and train employees on it — documentation is critical in FTC investigations
- If you experience a breach, notify affected customers promptly — delayed notification significantly increases FTC penalties
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.