The case of FTC v. Wyndham is one of the most important security and privacy cases decided in the last 10 years. The case affirms several important principles governing data security, and it is a must-read for business executives and attorneys. First, it cements the FTC\u2019s authority to act as the nation\u2019s privacy and security watchdog. Second, it identified a laundry list of privacy and security missteps. Third, it stands for the proposition that if a company was not on notice that it has to meet certain privacy and security standards, even if they are not readily and specifically ascertainable, it is now.\n\n\nThe FTC alleged, and the Third Circuit ostensibly agreed, that Wyndham\u2019s security practices were \u201cunfair\u201d and, therefore, legally insufficient because \u201ctaken together [they] unreasonably and unnecessarily exposed consumers\u2019 personal data to unauthorized access and theft.\u201d These missteps, when reviewed can create a baseline for best practices.\n\n\nThe following practices should be followed:\n\n\nStore sensitive information in encrypted format.\n\n\nProhibit use of easily-guessed passwords (especially avoid using \u201cdefault\u201d\/factory-settings).\n\n\nUse \u201creadily available security measures,\u201d such as firewalls, to limit access to systems, the company\u2019s network and the internet.\n\n\nImplement information security policies and procedures that prohibit using out-of-date operating systems and software and require maintaining security updates.\n\n\nProhibit the use of \u201cdefault\u201d user IDs and passwords.\u00a0\n\n\nMaintain an inventory of computers connected to the network.\n\n\nRestrict access of third-party vendors by specified IP addresses or time-limited access.\n\n\nEmploy reasonable detection and prevention measures.\n\n\nFollow \u201cproper incident response procedures\u201d (e.g. identifying attack tools, methods and targets to avoid similar attack methods or malware).\n\n\nWhile the FTC v. Wyndham case provides a baseline for incompetence, it does not provide a clear rule on minimum adequate practices. Each company must judge for itself whether its security practices and policies reflect the company\u2019s risks given the varieties of industries, customers, vendors, markets and regulations. However, deciding to avoid all the mistakes made by Wyndham is a good start.