Consumer Financial Protection Bureau Recommends Password Management as a Data Security Practice
Data breaches are increasingly putting consumers at risk of identity fraud and other cybercrimes. Regulatory agencies are responding to this trend by putting more pressure on companies to protect consumer data—either through new regulations or updated guidance. The most recent development in this area comes from the Consumer Financial Protection Bureau (CFPB), which stated in August that inadequate security of sensitive consumer data could violate prohibitions on unfair practices.
To help companies protect sensitive data, the CFPB recommended that organizations adopt three common security practices, including password management, to protect customer information. Here’s why this is important.
The CFPB’s statement on insufficient data protection
In 2021, the number of data breaches and similar incidents in the U.S. was up 68% over the previous year, reaching new highs, according to the Identity Theft Resource Center. These incidents increase the risk of fraud and other financial crimes to consumers. As the August CFPB circular states, “the widespread data breaches and cyberattacks have resulted in significant harms to consumers.” Because one definition of an “unfair business practice” is that it creates significant harm, entities that have weak data security practices may be violating unfair practices under the Consumer Financial Protection Act (CFPA). The bureau lists ransomware attacks, exploits, and cyberattacks as other types of instances that could turn into data breaches and cause substantial harm to consumers.
What’s significant about the CFPB’s assertion is that unfair practices may be violated even in the absence of an actual data breach. Even if no breach occurs in one year, that does not mean the unprotected data is secure forever.
The CFPB recommended three common cybersecurity practices to avoid violations:
- Implementing multi-factor authentication
- Creating password management policies and procedures
- Updating software in a timely manner
The CBFP cited several previous cases, such as the Equifax data breach, as precedents, saying these cases indicate that the failure to implement these common data security practices “will significantly increase the likelihood” that a company may be violating the unfair acts and practices prohibition.
Password management gets increased attention
In the last year or two, there’s been more emphasis from government entities, regulatory bodies, and industry groups alike on implementing password policy and password management practices. One example is the executive order on cybersecurity that U.S. President Biden issued in May 2021. As a result of the executive order, the National Institute of Standards and Technology (NIST) deemed password managers critical software for an IT environment, recognizing them as essential to information security.
This increased attention illustrates how critical password practices have become in the digital age. Not surprisingly, one of the four key behaviors that are the focus of this year’s Cybersecurity Awareness Month in October is the use of strong passwords and a password manager.
The goal of this annual campaign is to remind people and organizations how basic cybersecurity practices can keep their data secure. This is an opportune time for your organization to revisit your password policy—or implement one if you haven’t already.
Want to learn more about using a password manager for your business?
Check out Dashlane's business plans or get started with a free business trial.
Creating a password management policy
A password policy helps improve cybersecurity through password management best practices. The policy outlines a set of password rules for your business accounts, including the tools and procedures that employees need to use.
The password policy should cover aspects such as:
- Requirements for creating strong and unique passwords for each account
- Information about the password manager your business uses
- Best practices for securely sharing, storing, and managing passwords
- Unsecure behaviors to avoid, such as storing passwords in browsers and reusing passwords for different accounts
One of the most important aspects to keep in mind about your password policy is that it needs to balance your organization’s security needs with your employees’ needs. Your policy is only as strong as its adoption across your organization, and making your policy human-centric goes a long way in getting employee buy-in.
Consider strategies that boost adoption success, such as:
- Promoting a security culture that helps employees understand how cybersecurity protects both them and the organization
- Incorporating conversations about the importance of good password hygiene in your employee onboarding and implementing regular cybersecurity training throughout the year
- Providing the tools employees need for maintaining good password security, such as a user-friendly business password manager
The recent CFPB circular indicates that the bureau is focusing on data security, and it’s just one example of how government entities are creating new expectations for organizations. Cybersecurity basics are a prerequisite for any business in the digital age—and the requirements for common practices such as password management will only continue to expand.
Dashlane’s password manager for business can help you implement a strong password policy and best practices for password management. Our password manager comes with a suite of robust capabilities and is simple to use, helping boost your data security without getting in the way of productivity.
Start a free trial and learn how Dashlane can help your organization improve data security.
References
- Identity Theft Resource Center, Annual Data Breach Report - ITRC, 2021
Sign up to receive news and updates about Dashlane