Consumer Financial Protection Bureau Reasserts Importance of Data Protection
Organizations with poor data security could be found in violation of the Consumer Financial Protection Act's prohibition on unfair acts or practices.
Organizations that have insufficient data protection, like weak authentication, poor password management, and poor patch management - could run afoul of the Consumer Financial Protection Bureau, the agency reiterated earlier this month.
While these poor practices could do a lot more harm, like introduce weaknesses in a system, laying the groundwork for a breach or attack, in the CFPB's eyes, failing to address them could run counter to the Consumer Financial Protection Act (CFPA) prohibition on unfair acts or practices.
That means that organizations that fail to secure and protect data could be found in violation of the prohibition, the CFPB stressed in a circular two weeks ago.
The CFPA outlines an unfair act or practice as something that causes or is likely to cause substantial injury - in an instance like this a data breach or lax security measures that could put an individuals’ information in jeopardy, something that can’t be reasonably avoided by consumers - in this instance, consumers are rarely aware whether organizations have the right security measures in place, and something that isn't "outweighed to by countervailing benefits to consumers or competition" - in this instance, failing to update ones data security isn't outweighed by any benefits to consumers.
"The CFPB is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely to have been caused by a company’s poor data security practices was outweighed by countervailing benefits to consumers or competition," the agency wrote.
The circular gives guidance on three common data security practices to implement, including the aforementioned multi-factor authentication - to deter account compromise and credential phishing, password management - to combat password reuse and default enterprise logins, and timely software updates - to ensure known exploited vulnerabilities are fixed before the public, namely hackers, can take advantage of them.
As Troutman Pepper, a national law firm notes, many organizations maintain the security measures as part of an overall information security program. In addition to these measures, the organizations are also encouraged to implement the following seven industry practices, in concert with their programs:
Inventory/Scope Location of Company Crown Jewels
- Keep track of employees, critical software, hardware, network, and sensitive data assets to know how they work together. “Knowing the boundaries of your IT and location of your data and crown jewels allows for focus and the creation of the baseline of expected processes and behaviors that makes it easier to spot abnormal actions.”
Classify the Data and Assess All Risks and Threats to the Data
- Develop a data classification policy and perform a risk assessment to determine the risks and threats to data, including security vulnerabilities, vendor risks, and insiders.
Develop a Comprehensive Information Security Policy Suite.
- Form your information security program, with insight from industry standards and compliance regulations (CCPA, SEC, etc.) to set baseline expectations of everyone from vendors to customers.
Maintain and Test Key Access Controls, Including Complex and Unique Passwords and Multifactor Authentication
- Require employees to use credentials unique to your organization. This should help fight back against credential stuffing, which has been on the rise as of late.
Implementation Tip: Be Sure to Zone Out
- Consider employing network zoning to ensure sensitive systems that handle financial data are kept separate from others. Ensure access controls to these systems are doled out on a need to know and/or role-based basis.
Software Updates and Patch Management.
- Organizations should have policies and procedures in place to ensure their systems are kept up to date with the latest patches. In some scenarios, threat intelligence can help streamline this process by keeping defenders up to date on the latest vulnerabilities, trends, and available fixes.
Encryption and Backup Are a Critical Pairing
- Encrypt and back up critical data, in a secure offsite location if possible, in order to be ready in the event your organization needs to recover from an incident quickly.
Train, Train, Train
- Roll out security awareness training and cyber simulation tabletop exercises for those in the IT trenches to be better prepared to detect and avoid attacks like phishing and business email compromise scams.