The Federal Trade Commission issued its second annual report to Congress on Tuesday, documenting the agency's ongoing efforts to combat ransomware and other cyberattacks as required under federal law. The report shows the FTC has brought more than 90 enforcement actions with favorable outcomes in its data security program, marking a significant expansion of regulatory activity since its initial 2023 report.

The 2025 report is mandated by the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act, known as the RANSOMWARE Act. The legislation requires the Commission to regularly update Congress on its work to combat cyberattacks, particularly those originating from China, Russia, North Korea, and Iran.

The FTC's enforcement program focuses on ensuring companies take reasonable steps to protect personal data they collect and store. Among the notable settlements mentioned in the report are actions against GoDaddy, the web hosting giant, and Illuminate Education, an educational technology company. These cases demonstrate the agency's willingness to pursue major corporations that fail to implement adequate cybersecurity measures.

Ransomware attacks, which the FTC defines as cyber-related attacks where bad actors hold data or computer access hostage until receiving payment, remain a primary focus of the agency's enforcement efforts. The commission's approach combines direct enforcement action against companies with poor security practices alongside educational initiatives designed to help businesses and consumers protect themselves.

The report builds on the FTC's initial 2023 submission, which provided an overview of the agency's activities concerning the four nations of primary concern. The updated document highlights the Commission's continued contribution to the broader federal effort to combat cyber threats, showing how the agency's consumer protection mandate intersects with national security concerns.

Beyond enforcement actions, the FTC has pursued bad actors involved in tech support scams, a common vector for cybercriminals to gain access to consumer data and systems. These scams typically involve criminals posing as legitimate technical support representatives to trick consumers into providing access to their computers or personal information.

The agency's educational efforts represent another key component of its cybersecurity strategy. The FTC provides up-to-date alerts and advice about malware, cybersecurity best practices, and tech support scams through various consumer and business education programs. These resources aim to help both individual consumers and businesses understand emerging threats and implement appropriate protective measures.

The Commission's focus on data security enforcement reflects broader concerns about the vulnerability of American businesses and consumers to cyberattacks. As ransomware groups increasingly target critical infrastructure and major corporations, federal agencies have expanded their efforts to hold companies accountable for cybersecurity failures that expose consumer data.

The FTC's approach differs from other federal cybersecurity efforts by focusing specifically on the consumer protection aspects of cyber threats. While agencies like the Department of Homeland Security and the FBI focus on national security implications, the FTC addresses how cyberattacks affect individual consumers and the marketplace.

The timing of the report coincides with increased congressional attention to cybersecurity issues, particularly as lawmakers consider additional legislation to strengthen the federal government's response to cyber threats. The RANSOMWARE Act represents one of several recent legislative efforts to improve coordination between federal agencies and enhance reporting on cybersecurity activities.

Companies subject to FTC jurisdiction should note that the agency's enforcement activity appears to be accelerating. The 90-plus enforcement actions represent a substantial increase from previous years, suggesting the Commission is prioritizing cybersecurity as a consumer protection issue. Businesses that collect and store consumer data may face increased scrutiny of their security practices.

The Commission approved the 2025 report by a 2-0 vote, indicating bipartisan support for the agency's cybersecurity efforts. This consensus suggests the FTC's approach to combating cyber threats through consumer protection enforcement will likely continue regardless of political changes.

Looking ahead, the FTC's report indicates the agency will continue monitoring threats from the four nations of concern while expanding its enforcement efforts against companies that fail to protect consumer data. The combination of enforcement actions, educational initiatives, and congressional reporting creates a comprehensive approach to addressing the consumer protection aspects of the broader cybersecurity challenge facing the United States.