| | | | | |
Douglas Panzer
April 22, 2013

Dear General Counsel, Is Your Customer-Facing Website Storing Plain Text Login Credentials? (Part 1)

Your business relies on its website to provide information and service to customers and to increase the business’s own efficiency. What happens when that efficiency is stymied by a customer’s “senior moment”…the all-too-common forgotten password? If the answer is a reminder email to the customer containing his or her username and password in plain text, you may want to notify your insurance carrier and replenish your litigation counsel retainer.

Now, I’m not saying the practice of emailing usernames and passwords is a slamdunk path to civil or criminal liability. However, the risks associated with such a practice may be greater than you know and are undoubtedly greater than your business should be willing to subject itself. Perhaps customers manage their contact information or email subscriptions online. Perhaps you provide true e-commerce and store credit card information. In providing their information, your customers rely on your business to provide reasonable safeguards for the personal information you store about them and your business has a duty – in the truest legal sense of the word – to do so.

E-Mail: Just One Link in Your Non-Secure Communication Chain

Did you know that email is not a secure means of communication? It’s true. Of course, many readers will already know that the vast majority of email messages traverse the Internet as unencrypted messages; binary strings simply transmitted from sender to recipient without any form of obfuscation. Some small comfort may be found in knowing that the email programs used to send and receive these messages require usernames and passwords, but this does not remove the fact that the messages themselves, if intercepted, require no translation or decryption to reveal their full contents. If the message is intercepted, any private information contained therein is visible for all to read. But even the ability of your business to send plain text login credentials signals larger technical shortcomings.

Plain Text Means Something is Plain Wrong in the System Architecture

In order for a customer support system or representative to be able to retrieve a username/password combination and send it to the user, one of two scenarios must be at play: Either a) your tech folks are storing the information in your company’s database as plain text; or b) the login information, though stored encrypted, uses reversible encryption. In either case, your business is not using tech security best practices and arguably you are failing in your duty to safeguard private customer information. Heck, that practice doesn’t even comport with common state privacy laws’ definition of encryption.

Massachusetts statute 201 CMR 17.00 (that state’s data privacy law), for example, defines “Encrypted” as “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.” If your company’s customer-facing system can decrypt stored user credentials, there is at least one software developer who has seen the key or process while coding it. If your company’s email system can then send that decrypted information over standard email, there is likely at least one system administrator who can see those sent emails on your system. We’re up to two people who shouldn’t have access…shall I continue? What if – please don’t be the one reader whose company does this – your CSR’s can look up usernames and passwords in order to communicate them to customers? What’s the number now? By the letter of the law (at least Massachusetts’ law…which, by the way, is nearly identical to many others) your process may not even represent encryption at all since the process or key is arguably no longer confidential.

Do a Legal Review and Work With IT to Craft a Policy

In order to minimize the risk of data loss by and resulting negligence claims against the organization, it is incumbent upon counsel to apprise themselves of the practices used by their company with regard to login credential storage, encryption, communication and reset procedures. Find out what your tech people are doing now and work with them to craft a written policy for the future. Then, be sure to follow up at regular intervals to ensure compliance with the policy. Anything less may be less than due care.

Next Time: Is plain text credential storage criminal?


* indicates required