Section 5 of the Federal Trade Commission Act (FTC Act) (15 USC 45) prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’
The prohibition applies to all persons engaged in commerce - this includes online retailers or any business that maintains sensitive consumer information.
In the data security context, the FTC has gone after companies for the failure to implement "reasonable safeguards" to protect the privacy of consumer information, where the failure causes substantial injury without offsetting benefits, as an unfair practice.
From an information security perspective, "Unfair Acts or Practices" exist where something a business does: Causes or is likely to cause substantial injury to consumers, Cannot be reasonably avoided by consumers, and Is not outweighed by countervailing benefits to consumers or to competition.
The FTC's ability to come after businesses is pretty eye opening for most people (https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority) and there is a long list of previous enforcement actions that can be found on the FTC's website (https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises).
This is where a Written Information Security Program (WISP) from ComplianceForge.com can be very beneficial - if you are aligned with ISO or NIST, a WISP can help provide evidence of due care that your organization is aligned with industry best practices. By following those requirements, you will have the ability to prove due diligence.
By having evidence of due care and due diligence, you and clearly demonstrate that you have implemented and maintain "reasonable safeguard" to protect the privacy of your consumers' information. Additionally, performing ongoing cybersecurity risk assessments will help your organization uncover potential weaknesses within your IT security program. This gives you the ability to proactively remediate risks that could have negative operational impacts on your business in the future.