Many consumers, and many employees, have dozens of passwords for access to different systems, services, networks, devices, and terminals. From a corporate perspective, many companies have at least two policies that impact passwords - a password selection or management policy, and a security policy that may include how passwords maintained by the company are secured.
A password selection or management policy discusses an organization's standards for password assignment, and password strength (i.e., how complex the password that a user selects must be in order to avoid the password from being stolen or guessed). For organizations that maintain lists of passwords, several states have enacted legislation that require the organization to "implement and maintain reasonable security measure to protect" the username and passwords that are in their possession. As a result, whether the organization maintains a system that allows third party users to create password controlled accounts is often a factor that is considered when conducting a data security assessment. One of the primary concerns is that even if the service or database for which the username and password are used may not be sensitive, or house other categories of sensitive information, people often re-use their usernames and passwords for multiple services or systems. As a result, if a bad actor is able to obtain a username and password for an individual that relates to a non-sensitive system maintained by one organization, the bad actor may be able to leverage those credentials to try to access a sensitive system held by a different organization.
What to think about when designing or reviewing, a password selection or use policy:
If you lose an individual's username and password, it may trigger, in some jurisdictions, a requirement that you notify the individual and/or a state regulator.
Reprinted with permission from Bryan Cave Leighton Paisner Data Matters, November 5, 2018
Mr. Zetoony is an internationally recognized data privacy and security attorney that has been called a "Cybersecurity & Data Privacy Trailblazer," and the top "Legal Influencer," by legal sources such as the National Law Journal, Lexology, and JD Supra. firstname.lastname@example.org With over 1,400 lawyers in 32 offices across North America, Europe, the Middle East and Asia, Bryan Cave Leighton Paisner LLP is a fully integrated global law firm that provides clients with connected legal advice, wherever and whenever they need it. The firm is known for its relationship-driven, collaborative culture, diverse legal experience and industry-shaping innovation and offers clients one of the most active M&A, real estate, financial services, litigation and corporate risk practices in the world. www.bryancave.com.
Notice: This article is designed to provide accurate and authoritative information in regard to the subject matter covered. It has been provided to member schools with the understanding that ACSI is not engaged in rendering legal, accounting, tax, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Laws vary by jurisdiction, and the specific application of laws to particular facts requires the advice of an attorney.
Association of Christian Schools International