Lax Security Courts Liability, Says US CFPB

Regulator Urges Adoption of Web Authentication MFA
Lax Security Courts Liability, Says US CFPB

A U.S. financial regulator concerned with consumer safety is encouraging banks to adopt passwordless logon to avoid post-data breach liability.

See Also: Securing the Cloud for Financial Services

The Consumer Financial Protection Bureau in a new policy statement says the lenders under its jurisdiction run afoul of its prohibition against unfair acts or practices by failing to have adequate data protection.

The agency's statute authorizes it to police practices that likely cause a substantial injury to consumers when they can't be reasonably avoided and are unalleviated by other benefits. Poor cybersecurity is such a practice, the agency says. "Consumers cannot reasonably avoid the harms caused by a firm's data security failure," the new policy statement says. The agency is unaware of any instance when a court found countervailing benefits outweigh poor data security practices, it adds.

Lenders can take steps to avoid liability under the CFPB's prohibition of unfair practices by taking steps to mitigate the severity and avoidability of a data breach, the agency says.

Among them are multifactor authentication, including adoption of the Web Authentication method of consumer logon. Web authentication is "especially important," the agency says.

The standard, part of the FIDO2 Framework, turns devices such as a smartphone with a biometric scanner into a logon credential. It works when a bank or other institution agrees to accept a unique public-private key combination in the place of a traditional username and password. The private key necessary to activate the logon is stored on the user's device, which asks for proof of the user's identity, such as a facial scan or fingerprint reading.

Boosters of Web Authentication say it's better than other types of multifactor authentication such as one-time passcodes, which are susceptible to spoofing attacks. Hackers have increasingly turned to phishing messages with fake logon sites and capturing one-time passcodes (see: Microsoft Says Phishing Campaign Skirted MFA to Access Email).

"This is the first time a U.S. financial regulator has specifically recommended FIDO as being better than other forms of MFA," says Jeremy Grant, a managing director at Venable and an Information Security Media Group contributor.

Other steps lenders can take to avoid liability with the CFPB include better internal password management policies. Those policies should include monitoring for breaches at other sites, given people's propensity to reuse logons and passwords.

Lenders should also be updating software in a timely manner, the agency says. For an example of what not to do, it cites credit reporting agency Equifax. The Atlanta-based firm in 2017 failed to update a web server loaded with open-source web application framework Apache Struts, allowing Chinese military hackers to make off with data identifying about half of all Americans.

CFPB joined the Federal Trade Commission and 48 states to sue Equifax, a lawsuit that ended with Equifax agreeing to a multimillion-dollar settlement in 2019.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.