Blog / A Brief Dive Into PIPA’s Take On Passwords
Are you legally required to be regularly changing them?
In last week’s newsletter I talked about a PIPA requirement regarding passwords that had serious implications when combined with PCI-DSS. That investigation led to a couple of other useful questions, so I figured it might be a good idea to dig into the details of it. First though, I’d like to talk a little bit about how you are supposed to interpret the wording of law; laws can’t cover every possible situation so interpreting them requires looking at the law not from the situation but from the point of view of the lawès purpose.
As an example, let’s briefly talk about interpreting drunk driving laws. The overall purpose of laws regarding driving while under the influence is to prevent drunk driving and punish it when it happens. So when you need to consider how those rules should be applied, the question you should be asking is “Will this help prevent people from driving drunk?”
Makes sense? Okay. let’s move back to PIPA. As you probably know by now, PIPA stands for the “Personal Information Privacy Act” and is an Albertan act meant to protect people’s personal information. That means when you interpreting PIPA, you should be asking “Will this offer protection for personal information?” whenever there’s a conundrum. (If you’re unsure how exactly personal information is defined, it’s spelled out in the act, but basically it’s any combination of information that can be used to identify someone.
When it comes to passwords, PIPA 12.19 states the following requirement(s):
Where authentication is based on username and password, are effective policies or controls in place to ensure robust passwords are used?
This is actually the only password requirement stated in the act, and notice there is no specific requirement to change them. They just need to be “robust” and be supported by policies and/or controls. So why am I still advocating changing them and still claiming it’s a requirement? For that you need to look a little bit further into PIPA.
Although it doesn’t explicitly state passwords in this section, PIPA does have more to say regarding system requirements for protections.
Are all relevant statutory, regulatory, and contractual requirements explicitly defined and documented for each information system?
We’ve got two parts of the puzzle now, so let’s bring in the third, industry regulations regarding payment card processing.
PCI-DSS v4.0 8.3.9
If you’re subject to PCI-DSS (which every place that accepts plastic is) v4.0 8.3.9 outlines the following password requirements:
If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: passwords/passphrases are changed at least once every 90 days,
the security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
So how does all this combine to transform PCI-DSS’s non-legal regulation regarding passwords into a legal requirement? Well, remember what I said about interpreting laws? Let’s assume you are subject to PIPA/PIPEDA’s regulations and you accept plastic as a form of payment. That means you are also subject to both sets of rules.
Now, PIPA 16.1 states you need to be both aware of and to document the rules described in PCI-DSS, and because that requirement comes from PIPA, you need to look at the situation from the perspective of protecting personal privacy. From that point of view it’s clear that PIPA 16.1 doesn’t end with you simply being aware of your statutory, regulatory, and contractual requirements but that you also work towards compliance with them. The end result? PCI-DSS compliance (or a plan you’re following to become compliant) stops being a regulation imposed by banks and becomes a legal requirement authorized by PIPA.
All of this comes with the caveat that we here at TRINUS are IT experts, not lawyers, and while I’m confident in this interpretation, don’t consider it legal advice. This is just a conversation about how laws and cybersecurity can interact to create legal complications you might not otherwise consider. I haven’t found any evidence that the Office of the Information and Privacy Commissioner (OIPC) has weighed in one way or the other. Maybe the intention was simply to encourage compliance with regulations, or maybe it was to give regulations some legal teeth, allowing charges/fines to be laid in response to organizations ignoring their regulatory requirements. Regardless of the reason you decide on, we can probably agree these interactions are deliberate and not there by accident.
If you’re curious about what cybersecurity legislation and regulations apply to your business or organization and how they may interact, ask a TRINUS cybersecurity expert and we’ll be happy to give you advice on how to achieve compliance if needed.
The Shakespeare quote for this newsletter comes from the play Titus Adronicus: “Come, and take choice of all my library, and so beguile thy sorrow.”