Service providers have to be careful about how they capture user data.
The internet will not be secure until every user enjoys guaranteed data privacy. Until this is in place, cybercriminals will continue to outpace their victims.
Data privacy laws like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are changing the way internet users and their service providers interact. These regulations are fundamental in securing users’ rights to their own data privacy.
These laws even have broad political support among service providers required to change their processes to remain compliant. However, many providers are not sure where to begin and have trouble determining what types of data need protection.
Passwords are a major point of confusion for service providers. Almost every web app that employs user credentials has to capture user passwords to work. IT leaders running these services are now asking themselves whether their password management processes are compliant.
Every organization that employs user credentials needs to address this problem. Read on to find out how you can keep your organization compliant as the world moves towards increasingly secure data privacy practices.
Non-Compliance Can Lead to Major Fines
Facebook made headlines in March 2019 for accidentally leaving hundreds of millions of user passwords in an unencrypted plain-text folder for years. This serious security breach exposed highly sensitive user data to the public.
Facebook’s password storage blunder is not illegal according to any current legal framework in the United States—for now. In Europe, this breach of user trust could lead to a $2.2 billion fine.
Data privacy laws like the GDPR and CCPA give the government the legal authority it needs to crack down on unsafe digital storage practices. Europe’s law assesses fines up to 4% of a company’s global annual turnover, which explains Facebook’s massive potential liability.
Not every organization makes tens of billions of dollars per year like Facebook does, but no executive or IT leader wants to give up 4% of their organization’s hard-earned revenue because of a security blunder. Secure password capture and storage is a critical step on the path to data security.
Pending legislation in the United States will likely assess similarly steep fines for non-compliance. Organizations the world over must take decisive action towards securing user passwords.
Secure Password Capture for GDPR & CCPA
The text of the GDPR is not specific about the technologies that organizations need to use when capturing and storing user passwords. Regulators intentionally left these sections ambiguous so as not to encourage cybercriminals to focus their efforts on defeating some specific platform or technology.
Instead, the text uses phrases like “appropriate safeguards” and “appropriate measures” when referring to password security. This gives organizations a certain degree of freedom in determining what constitutes a strong password policy.
At the same time, this language leaves room for regulatory interpretation. On no account are European regulators likely to consider Facebook’s plain-text password storage an example of an “appropriate” security measure.
CCPA also avoids naming specific technologies or conventions related to password management. However, it stipulates that role-based access be enforced with security-oriented password management solutions. In particular, it empowers the attorney general to seek civil penalties of up to $7,500 for every intentional violation of the code. It also empowers users to seek damages from organizations that misuse sensitive data.
As a result, organizations will need to consider password storage solutions that meet their users’ concerns and the organization’s security budget. This gives users an incentive to lean towards security-as-a-service (SaaS) companies instead of developing their own in-house solutions at great expense.
Password Resets Are a Key Weakness
One of the things GDPR does specifically regulate is password reset processes. The law requires organizations to put secure systems in place for preventing IT help desk employees from obtaining direct access to passwords.
If your company’s IT help desk staff communicates new passwords directly to employees, you might find yourself answering to regulators in the near future.
GDPR requires password resets to employ multifactor authentication and automatically generated temporary passwords. That means employees have to prove their identity using at least two independent credentials, and help desk staff cannot access employee passwords even while helping them reset lost or compromised ones.
On-Demand Password Management Compliance
Security is a dynamic field. Tomorrow’s technological advances can radically change what security experts consider “best practice” today. It takes constant vigilance to stay ahead of the curve.
Organizations will either have to regularly invest in increasingly complex in-house solutions for password management security or outsource their security concerns to a reputable vendor. Business and IT leaders will need to keep a wary eye on developments occurring in the cybersecurity world.
Regulators have a great degree of freedom when considering what constitutes “appropriate” password security. Organizations that have not already implemented best-in-class password management solutions should deploy trusted third-party solutions that guarantee compliance.