In a consumer financial protection circular issued in August, the Consumer Financial Protection Bureau (CFPB) said entities with insufficient data protection or information security can violate the Consumer Financial Protection Act (CFPA).
The violation can be considered an unfair act or practice under CFPA, the bureau said in the circular.
The circular is considered a general statement of policy with no binding legal effect. However, the CFPB said the circulars are “intended to promote consistency” in regulatory enforcement, including consumer finance rules enforced by the Federal Trade Commission (FTC).
In the circular, the CFPB says data breaches and cyberattacks have significantly harmed consumers. The CFPB cites the FTC’s updated Safeguards Rule, which fully takes effect in December. The CFPB says failure to comply with new FTC requirements may not only be illegal under the Safeguards Rule but also be an unfair act or practice under CFPA.
The CFPB said a data breach is not required for covered entities to violate CFPA.
“Actual injury is not required to satisfy this prong in every case,” the CFPB said of unfair acts or practices. “A significant risk of harm is also sufficient. In other words, this prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
The CFPB circular said consumers cannot reasonably avoid harm caused by a firm’s data security failures.
“Where companies forgo reasonable cost-efficient measures to protect consumer data, like those measures identified below, the Consumer Financial Protection Bureau (CFPB) expects the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition,” the circular said. “The CFPB is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely to have been caused by a company’s poor data security practices was outweighed by countervailing benefits to consumers or competition. Given the harms to consumers from breaches involving sensitive financial information, this is not surprising.”
The CFPB listed three potential measures companies can adopt to better secure consumer data:
- Multi-factor Authentication: The CFPB said multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts and access sensitive customer data.
- Adequate Password Management: For firms still using passwords, the CFPB said password management policies and practices provide ways to monitor for breaches at other entities where employees may be re-using logins and passwords.
- Timely Software Updates: The CFPB said protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
