The U.S. Cybersecurity and Infrastructure Agency (CISA) has added the use of single-factor authentication to their list of Bad Practices. Single-factor authentication is a common low-security method of accessing a computer system. “Single-factor” refers to the verifying of the user’s identity with only one method, typically a username and password. It is considered the lowest level of security and should be avoided or supplemented, especially if utilized by organizations that support Critical Infrastructure or store large amounts of user/customer data. This practice is exceptionally high risk when accessing an internet-based system or mobile app.
CISA recommends a strong authentication method, such as a two-factor authentication. This type of verification requires multiple methods of verifying identity (something you know i.e. a password and something you have i.e. a mobile device that can receive a unique code for each login attempt). In a study conducted by Google, New York University, and the University of California San Diego, the addition of a second factor blocked 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks on users’ Google accounts.
The addition of single-factor authentication to the CISA list of Bad Practices could open organizations up to liability. In the event of data breaches, courts often look to industry standards to determine what is a reasonable effort by an organization to secure personal information. If an organization fails to implement reasonable security measures, there is exposure to a legal risk. CISA is, in effect, putting organizations on notice – single-factor authentication is not a reasonable effort to protect personal information, especially in fields that support national security, health, infrastructure and energy, or public safety.
If you have questions about your organization’s exposure to liability regarding the storing of data, please contact the attorneys at Rock Fusco & Connelly, LLC.