A U.S. financial regulator concerned with consumer safety is encouraging banks to adopt passwordless logon to avoid post-data breach liability.

See Also: Webinar | Prevent, Detect & Restore: Data Security Backup Systems Made Easy

The Consumer Financial Protection Bureau in a new policy statement says the lenders under its jurisdiction run afoul of its prohibition against unfair acts or practices by failing to have adequate data protection.

The agency's statute authorizes it to police practices that likely cause a substantial injury to consumers when they can't be reasonably avoided and are unalleviated by other benefits. Poor cybersecurity is such a practice, the agency says. "Consumers cannot reasonably avoid the harms caused by a firm's data security failure," the new policy statement says. The agency is unaware of any instance when a court found countervailing benefits outweigh poor data security practices, it adds.

Lenders can take steps to avoid liability under the CFPB's prohibition of unfair practices by taking steps to mitigate the severity and avoidability of a data breach, the agency says.

Among them are multifactor authentication, including adoption of the Web Authentication method of consumer logon. Web authentication is "especially important," the agency says.

The standard, part of the FIDO2 Framework, turns devices such as a smartphone with a biometric scanner into a logon credential. It works when a bank or other institution agrees to accept a unique public-private key combination in the place of a traditional username and password. The private key necessary to activate the logon is stored on the user's device, which asks for proof of the user's identity, such as a facial scan or fingerprint reading.

Boosters of Web Authentication say it's better than other types of multifactor authentication such as one-time passcodes, which are susceptible to spoofing attacks. Hackers have increasingly turned to phishing messages with fake logon sites and capturing one-time passcodes (see: Microsoft Says Phishing Campaign Skirted MFA to Access Email).

"This is the first time a U.S. financial regulator has specifically recommended FIDO as being better than other forms of MFA," says Jeremy Grant, a managing director at Venable and an Information Security Media Group contributor.

Other steps lenders can take to avoid liability with the CFPB include better internal password management policies. Those policies should include monitoring for breaches at other sites, given people's propensity to reuse logons and passwords.

Lenders should also be updating software in a timely manner, the agency says. For an example of what not to do, it cites credit reporting agency Equifax. The Atlanta-based firm in 2017 failed to update a web server loaded with open-source web application framework Apache Struts, allowing Chinese military hackers to make off with data identifying about half of all Americans.

CFPB joined the Federal Trade Commission and 48 states to sue Equifax, a lawsuit that ended with Equifax agreeing to a multimillion-dollar settlement in 2019.

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Covering topics in risk management, compliance, fraud, and information security.

By submitting this form you agree to our Privacy & GDPR Statement

90 minutes · Premium OnDemand 

From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations' risk management capabilities. But no one is showing them how - until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 - the bible of risk assessment and management - will share his unique insights on how to:

Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)

Was added to your briefcase

Lax Security Courts Liability, Says US CFPB

Lax Security Courts Liability, Says US CFPB

Need help registering? Contact support

Complete your profile and stay up to date

Create an ISMG account now

Create an ISMG account now

Need help registering? Contact support

Need help registering? Contact support

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.