"Reasonable security": what the FTC's latest SaaS order means for your startup
A consent order against a SaaS CRM whose weak security let attackers walk off with $186 million is not a story about someone else. It is a roadmap for what regulators now expect.
The FTC just finalized a consent order against a SaaS CRM provider whose weak security allowed attackers to walk away with $186 million of customer funds. If you are running a SaaS business, this is not a story about someone else. It is a roadmap for what regulators now expect from you.
The “reasonable security” standard under Section 5 of the FTC Act has been a moving target for years. Orders like this one are useful because they translate “reasonable” into concrete operational terms. The agency expects a written information security program, MFA for privileged accounts, encryption of sensitive data in transit and at rest, vulnerability scanning, third-party assessments, and a documented incident response process. None of this is exotic. None of it is new. But plenty of early-stage SaaS companies still do not have it written down.
Having written code before I wrote contracts, I see the same gap repeatedly with the founders I work with: security gets treated as an engineering checklist instead of a written, testable program. The FTC does not care whether your engineers “do MFA.” It cares whether you have a policy that says so, evidence the policy is followed, and a procedure for when something fails. The same is true on the commercial side. When an enterprise customer sends you a vendor security questionnaire, you cannot pass it by pointing at your codebase. You need documents.
If you operate in Florida, do not assume the Florida Digital Bill of Rights’ “Big Tech only” thresholds let you off the hook. The Florida Information Protection Act still requires notice to affected residents within 30 days of a breach, one of the tighter windows in the country. Pulling that off while you are scrambling to figure out what was taken is far harder than putting an incident response plan on paper while things are calm.
The practical move for most SaaS founders is unglamorous: a short, plainly written security program, a documented vendor and subprocessor list, a one-page incident response plan, and a habit of updating each every six months. That is the floor. It is also what most enterprise buyers and regulators are actually asking to see.