FTC Settlement Puts API Security in the Spotlight — David Senter Weighs in for Cybersecurity Law Report

Smith Anderson data privacy and security attorney David Senter was featured in Cybersecurity Law Report’s in-depth analysis of the FTC’s January 2025 settlement with a web-hosting giant. The settlement highlighted a number of common security gaps, including the failure to log security events, implement multi-factor authentication (MFA), consistently apply patches, sufficiently monitor for threats or have an accurate inventory of computing assets, all of which can result in serious data breaches.

The settlement has drawn industry-wide attention for its detailed requirements around application programming interface (API) security, marking one of the first times API security has been explicitly addressed in regulatory enforcement. As the article notes, these API-specific provisions could serve as a new baseline for what regulators deem "reasonable security." David pointed out that these API mandates illustrate a broader trend: FTC settlements are becoming more technically detailed in their expectations of a company’s information security programs. He explained that these consent orders — along with recent regulatory updates like the Safeguards Rule — are shaping today’s U.S. cybersecurity compliance landscape.

"Companies should use these mandates as a roadmap in their own security assessments and audits," David advised.

According to the article, maintaining an accurate API inventory is essential to effective API governance. David noted that companies often struggle to manage and even identify active APIs and stressed the importance of including APIs in regular risk assessments. To bridge these gaps, he recommended having an independent third party assist with assessing APIs and appropriately securing them.

In summing up the FTC’s new standards, David added: "The API security practices identified by the FTC – encryption, authentication, rate-limiting and monitoring – are excellent first steps that will not only lower regulatory risk, but, more importantly, protect a company’s systems and data."

Cybersecurity Law Report subscribers can read the full article here.

About Cybersecurity Law Report

Cybersecurity Law Report is a trusted legal and regulatory intelligence resource for professionals navigating cybersecurity, data privacy, and compliance. The publication delivers in-depth analysis, practical guidance, and expert commentary on the evolving landscape of cyber threats, enforcement actions, and best practices for data protection. Its audience includes in-house counsel, compliance officers, and outside attorneys advising organizations on managing cyber risk in a rapidly shifting legal environment.