In 2018, privacy scandals shook the tech industry to its core. Now, new laws and regulations designed to restore consumers’ control over how their personal data is used and shared are on the horizon. Leading the charge is the European Union’s General Data Protection Regulation, or GDPR. The EU’s launch of GDPR has gained international attention, and is credited with creating a wave of new privacy and data protection regulations around the world.
Account takeover is one of the greatest threats to consumers; millions of people have been victimized by corporate data breaches that lead to identity theft and account takeover fraud. Consumers are bearing the brunt of these damages, and many are wondering how these new regulations will serve to not only restrict the unbridled sharing of private information, but prevent unauthorized account access.
The rise of regulations
In the United States alone, states like California and Vermont are creating their own privacy laws at the state level, while countries like Australia are instituting new data protection regulations nationwide. Many of these new laws have been influenced by GDPR, but with so many different regulations and laws popping up, businesses are now facing a new challenge: Compliance.
GDPR compliance requirements are a great place to start, but there are many more privacy and data protection regulations organizations must consider. What level of compliance you need to attain can vary depending on where you do business and what industry you’re working in.
While GDPR does not mention password policies specifically, that doesn’t mean you don’t need one. Passwords play an integral role in guarding against the unauthorizied access of sensitive information. This means that while passwords may not be explicitly mentioned in a regulation or law, if passwords are used in your security system, they need to be policy-compliant. Regardless of what policy you need to be compliant with, strong password protection is going to be key.
Will these regulations stop account takeover?
As Net Sec explains, GDPR requires “a high level of protection of personal data.” The legislation stipulates further, “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data.”
In theory, a GDPR-compliant password policy should make account takeover hard to accomplish. But the reality is that many corporations still have holes in their security networks that can be easily exploited.
As Ultra Auth founder Reza Piri explains, “Cyber criminals essentially play the numbers game with account takeover. It is mathematically proven to be faster and more effective (time and money) for a cyber criminal to take a very large list of exposed credentials and drop them into software that can process 100,000 credentials per hour / per website rather than trying to hack 100,000 computers individually. To boil it down, account takeover costs a few hundred dollars to purchase these lists and only takes hours to implement the attack.”
Account takeover is very costly to the individual, yet many companies try to avoid disclosing data breaches. In fact, Congress has even had to draft up penalties for businesses that wait too long to inform the public. While new regulations are headed in the right direction, it is still up to consumers to take steps to protect themselves against account takeover.