What Role Does Password Expiration Play In CCPA Compliance?

What Role Does Password Expiration Play In CCPA Compliance?

Achieving California Consumer Privacy Act (CCPA) compliance takes work. You need to train your employees, measure risk and evaluate your technology. However, you also have limited time, so where can you focus your efforts for the best results? Password management and password expiration are helpful techniques you can use to fulfill your CCPA compliance requirements.

Two Ways Password Management Contributes to CCPA Compliance

Your approach to CCPA compliance and passwords needs to cover two groups. First, tighten your internal controls for user access and authentication. Second, provide tighter governance for end-user or consumer accounts and passwords. A robust password expiration policy will help address both of these needs.

Optimize Internal Security For Employees

Fraud, employee misconduct and technology errors are a major contributing cause to IT security incidents. According to a survey of 1,000 business leaders, human error (including by employees) accounts for nearly half of IT security events. Regarding CCPA compliance, you need safeguards to detect and prevent the misuse of consumer data. If you have these practices in place and still suffer a CCPA compliance violation, pointing to your systems and processes may reduce the negative impact of the violation. Certainly, a lack of internal controls and governance over access will not help your case.

Start with the fundamentals of password management, as noted below. If you already have these practices in place, consider reviewing them for effectiveness. Designing a security system without checking its effectiveness is a waste of time. 

●  Create (or update) your password policy. A simple one-page document is all you need to get started. Explain both the password rules (e.g. number and type of characters) and best practices for protecting passwords.

●  Review password management reports for exceptions. Like it or not, there are some cases where people ask for exceptions to password requirements. For example, a user might ask to share access credentials with a colleague on a short term basis so they can provide backup for an upcoming vacation. Take stock of these exceptions and assess ways to reduce the risk.

●  Provide password training to employees. Consider leveraging public events like National Cybersecurity Awareness Month to promote better IT security practices. To guide your approach to password training, use our guide: How to Deliver Password Management Training to Your Employees This Week.

Managing Customer Accounts: Verification

Some aspects of the CCPA relate to verification and password-protected accounts. Review your password management practices to ensure you can respond to consumer requests. Here are some specific tips to get you started. 

●  General Rules Regarding Verification. This CCPA section includes a necessary provision that: “A business shall use reasonable security measures to detect fraud and protect personal information from unauthorized access.” Therefore, review and update your password policy and privacy policies for consumers to align with CCPA.

●  Verification For Consumer Requests. Under the CCPA, consumers have various rights to information, including the “request to know” and “request to delete” information. Before providing sensitive customer data, you need to have a robust verification process in place. In particular, make sure you document the consumer request and how the request was verified. Without these safeguards, fraudsters and criminals may attempt to submit invalid CCPA requests.

Now that we have established a few CCPA compliance principles, let’s take a closer look at password expiration as a tool. Think of password expiration as a technique to improve your CCPA compliance fundamentals. It is not enough on its own to achieve CCPA compliance.

Password Expiration For CCPA Compliance: Three Practical Tips

Consider two scenarios for password expiration. In scenario one, passwords have no expiry date and may be used forever. In scenario two, passwords expire after 60 days of inactivity. Which scenario lowers the likelihood of fraud and privacy breaches? Clearly, scenario two is the better option. However, there are trade-offs to consider. If you expire passwords too often, your end-users will suffer lost productivity. Use password expiration to enhance your CCPA compliance program with these tips. 

1) Apply Frequent Password Expiration To Highly Sensitive Systems

The CCPA recognizes that not all data and systems are the same; some data is more sensitive than others. Therefore, you have a good case for applying frequent (e.g. every 30 days) password expiration requirements on highly sensitive systems. In particular, customer service and order databases would benefit from this level of control. This control reduces the risk of employee misconduct in handling customer information.

2) Apply Password Expiration To Customer Accounts Based On Risk

There is a fraud risk associated with CCPA compliance. If a fraudster impersonates a customer and requests confidential data via a CCPA request, fulfilling that request puts your company at risk. You can reduce the probability of fraud by applying password expiration to customer accounts based on risk. For example, you might expire a customer password if there is no activity for 90 days. Alternatively, you might expire a password based on behavior patterns (e.g. user login attempts from multiple countries on the same day or week). Monitor the results of password expiration on the customer experience to make sure you are not too aggressive.

3) Protect CCPA Compliance Requests with Password Expiration

Some companies collect large amounts of customer information and may face a high volume of CCPA compliance requests. In that situation, you may set up a specialized portal for customers to submit and manage CCPA compliance-related information. Such requests are inherently highly sensitive by their nature. Therefore, applying a strict password expiration process is reasonable to provide enhanced security protection.

The Easy Way To Improve CCPA Compliance Success Overnight

Achieving CCPA compliance is daunting. Make just one mistake, and your company could land in the press and suffer fines! Since IT security stands or falls based on the weakest link in your program, you can’t afford to take chances with manual processes. Use a software solution like Password Station to apply a uniform password policy to all users at all times. Without software tools, managing CCPA compliance can quickly become a full-time job for your IT security specialists.

Written by Nelson Cicchitto