Still Using FTP or POP3? Here’s Why That Could Get You Sued in 2025
By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering
Disclaimer: This article is for educational purposes only and does not constitute legal advice.
Introduction
Legacy communication protocols like File Transfer Protocol (FTP) and Post Office Protocol v3 (POP3) are still widely used across small and mid-sized businesses (SMBs). What most companies don’t realize is that these protocols, once standard, are now functionally non-compliant with modern privacy laws.
If your organization continues using them in 2025, you're not just risking data theft - you’re inviting regulatory scrutiny, litigation, and class-action liability. And in many cases, you don’t even need a breach to be found in violation of data protection laws.
The Insecurity of FTP and POP3: A Technical Breakdown
FTP transmits data and credentials in plaintext over port 21. There is no inherent encryption, meaning usernames, passwords, and the transferred files themselves can be intercepted easily by anyone with access to the network or through man-in-the-middle (MITM) attacks.
POP3, operating over port 110, similarly fetches email content without encrypting it unless paired with external security layers like STARTTLS. It downloads mail to the local device, then deletes it from the server - making central security enforcement difficult.
Core Risks of These Protocols
- No default encryption of data in transit
- Credentials transmitted in plaintext
- Susceptibility to MITM and packet sniffing
- Difficulty enforcing centralized access control
- Poor auditing/logging capabilities
Legal and Regulatory Implications
Data protection laws no longer treat encryption as optional - they treat it as expected.
GDPR (General Data Protection Regulation)
- Article 32 mandates “appropriate technical and organizational measures,” specifically citing encryption.
- Recital 83 reinforces the expectation of protecting personal data throughout its lifecycle, including in transit.
CPRA (California Privacy Rights Act)
- Expands on CCPA to require “reasonable security procedures and practices” for personal information.
- Fines apply per user, per day for negligent handling of personal data, even without a breach.
HIPAA (Health Insurance Portability and Accountability Act)
- The Security Rule (45 CFR §164.312(e)) requires covered entities to protect electronic PHI during transmission.
- Use of unencrypted FTP or POP3 would likely violate this requirement if personal health data is involved.
Even if no breach occurs, regulators may penalize companies based on insecure practices alone, particularly if modern, secure alternatives are readily available.
Visual Snapshot: SMBs Still Relying on Legacy Protocols
To illustrate the scale of this compliance gap, consider the following fictionalized data from internal audits of 500 small businesses:
Over 40% of SMBs still use FTP or non-TLS SMTP, exposing critical data in transit.
The misalignment is clear: businesses continue using outdated technologies that regulatory frameworks presume to be phased out.
How This Leads to Lawsuits
1. Breach of Duty of Care
Using insecure protocols is increasingly interpreted as negligence, particularly when encryption is low-cost and widely available. Plaintiffs’ lawyers can argue that your company failed to implement industry-standard security practices.
2. Regulatory Enforcement
Under GDPR or CPRA, regulators can issue fines for failing to ensure data protection by design and by default, even absent an actual data breach.
3. Contractual Liability
If you process data on behalf of another company, insecure transfers via FTP or POP3 may violate contractual data protection clauses, triggering indemnity clauses or civil claims.
Action Plan: Securing Your Protocol Stack
A proper response requires both technical and legal alignment. Here are steps to bring your infrastructure into compliance:
Step 1: Conduct a Protocol-Level Audit
Use tools like Nmap or Nessus to identify which ports and protocols are in use across all networked systems. Focus on:
- Port 21 (FTP)
- Port 110 (POP3)
- Port 25 (SMTP without TLS)
- Port 143 (IMAP without STARTTLS)
Step 2: Replace and Reconfigure Protocols
- Replace FTP with SFTP (over SSH) or FTPS (FTP over TLS)
- Replace POP3 with IMAPS or POP3S (TLS-wrapped versions)
- Require SMTP over STARTTLS or port 465 (SMTPS) for email relay
Step 3: Implement Technical Controls
- Enforce TLS 1.2+ across all communication channels
- Enable DNSSEC, SPF, DKIM, and DMARC to prevent spoofing
- Log and monitor file transfer and email activity for anomalies
Step 4: Update Legal Agreements and Policies
- Revise Data Processing Agreements (DPAs) to reflect updated technical safeguards
- Include encryption and protocol security in vendor security assessments
- Document all remediation activities in internal audit trails
Why Most SMBs Miss This
Small businesses often assume compliance means checking boxes or installing antivirus software. But protocol-level vulnerabilities sit below the radar, often hardcoded into legacy systems or vendor solutions.
Many MSPs still configure backup systems or file shares using unencrypted FTP simply because it’s fast and familiar. Similarly, POP3 is often enabled by default in mail clients. These defaults now carry legal consequences.
Bottom Line
Legacy protocols are no longer a technical quirk, they’re a regulatory hazard. Continuing to use FTP or POP3 in 2025 may constitute a failure to take reasonable measures to secure personal data in transit.
Regulators won’t be sympathetic to legacy excuses. Plaintiffs’ lawyers won’t either. The fix is straightforward, and the cost of inaction is growing.