The widely-watched case of FTC v. Wyndham Worldwide Corp. isn't just about cybersecurity. The case of FTC v. Wyndham is one of the most important security and privacy cases decided in the last 10 years. The case affirms several important principles governing data security, and it is a must-read for business executives and attorneys. First, it cements the FTC’s authority to act as the nation’s privacy and security watchdog. Second, it identified a laundry list of privacy and security missteps. Third, it stands for the proposition that if a company was not on notice that it has to meet certain privacy and security standards, even if they are not readily and specifically ascertainable, it is now. The FTC alleged, and the Third Circuit ostensibly agreed, that Wyndham’s security practices were “unfair” and, therefore, legally insufficient because “taken together [they] unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” These missteps, when reviewed can create a baseline for best practices. The following practices should be followed: Store sensitive information in encrypted format. Prohibit use of easily-guessed passwords (especially avoid using “default”/factory-settings). Use “readily available security measures,” such as firewalls, to limit access to systems, the company’s network and the internet. Implement information security policies and procedures that prohibit using out-of-date operating systems and software and require maintaining security updates. Prohibit the use of “default” user IDs and passwords. Maintain an inventory of computers connected to the network. Restrict access of third-party vendors by specified IP addresses or time-limited access. Employ reasonable detection and prevention measures. Follow “proper incident response procedures” (e.g. identifying attack tools, methods and targets to avoid similar attack methods or malware). While the FTC v. Wyndham case provides a baseline for incompetence, it does not provide a clear rule on minimum adequate practices. Each company must judge for itself whether its security practices and policies reflect the company’s risks given the varieties of industries, customers, vendors, markets and regulations. However, deciding to avoid all the mistakes made by Wyndham is a good start. Related content opinion Who is winning in text message (SMS) marketing? Recent court decisions provide much needed clarity around issues of u201cconsentu201d so that businesses using text message marketing know when they can rely on the recipientu2019s consent. By David Adler Sep 01, 2017 6 mins Legal Marketing Consumer Electronics opinion Cybersecurity is one of the top risks organizations must manage in 2017 Recent high-profile data breaches highlight the challenges in understanding how laws apply to a wide variety of information management scenarios and a host of other regulatory, compliance and legal issues. By David Adler May 01, 2017 3 mins Cybercrime Security opinion Trump's executive order travel ban and IT workers Is there anything tech employers should keep in (or out of) contracts for third-party service providers or temporary tech workers? By David Adler Mar 01, 2017 5 mins H-1B Visas Legal Careers opinion Echo chamber: Amazon device creates new legal privacy twist for smart home systems Given the sensitive nature and legal protections afforded to digital information obtained within the home, should law enforcement have the right to access data gathered by smart home devices? By David Adler Jan 09, 2017 3 mins Internet of Things Privacy Consumer Electronics Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe