SHARE

August 12, 2022

CFPB Warns Insufficient Data Security Measures May Violate Consumer Financial Protection Act

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now
Go-To Guide:
  • New CFPB Circular indicates that failure to implement sufficient data security practices may violate the Consumer Financial Protection Act
  • Financial institutions may wish to adopt, at a minimum, multi-factor authentication, adequate password management policies, and timely software update policies to comply with new guidance
  • These requirements are in addition to, and do not replace, the FTC's Safeguards Rule for financial institutions under the GLBA

On Aug. 11, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) issued Circular 2022-04, (Circular) indicating that financial institutions and service providers that fail to adopt sufficient data security measures to protect consumer financial data may violate the Consumer Financial Protection Act (CFPA) provision prohibiting unfair acts and practices. The CFPB indicates that whether a financial institution's security program is adequate under the CFPA is a fact-intensive question, but the agency does offer some basic examples of what it may consider required.

The CFPA prohibits unfair acts or practices, which are defined as an act or practice that:

  • causes or is likely to cause substantial injury to consumers,
  • is not reasonably avoidable by consumers, and
  • is not outweighed by countervailing benefits to consumers or competition.

The CFPB warns that inadequate data security measures that fail to protect consumer data can cause all three results, and that actual injury is not required to find an unfair or deceptive act. Additionally, a breach or intrusion is not necessary for the CFPB to find that a financial institution's data security practices are unfair.

Specifically, the Circular provides three examples of data security measures that, if absent, may indicate a financial institution has inadequate data security measures. These include:

  • Multi-factor authentication (MFA)
  • Password management policies and practices
  • Timely software updates

These concepts will not be surprising to financial institutions if they already are subject to the Federal Trade Commission's Safeguards Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule contains more specific and stringent data security requirements than those the CFPB recommends in the Circular. The CFPB notes that while the Safeguards Rule's requirements may overlap with the standard set in the Circular, they are not coextensive. Financial institutions and service providers may wish to take steps to ensure compliance with both the Safeguards Rule and the CFPB's new guidance.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

California AG Announces Investigation of Mobile Apps' CCPA Compliance

By Gretchen A. Ramos Greenberg Traurig January 31 , 2023

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents.

E2 Law Podcast: Episode 20 | Empire Environmental - Review of New York's Cap-and-Invest Program to Reduce Emissions and Achieve Climate Goals

By Steven C. Russo Greenberg Traurig January 27 , 2023

In this episode of Greenberg Traurig's E2 Podcast, attorneys Steven Russo, Zackary Knaub, and Jane McLaughlin discuss New York State’s cap-and-invest program to limit greenhouse gas emissions and share revenue with New Yorkers from disadvantaged communities to help cover utility bills, transportation costs, and decarbonization.

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

By Gretchen A. Ramos Greenberg Traurig January 26 , 2023

While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft.

More From Privacy

California AG Announces Investigation of Mobile Apps' CCPA Compliance

By Gretchen A. Ramos Greenberg Traurig January 31 , 2023

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents.

U.S. Supreme Court Dismisses as 'Improvidently Granted' Case on Scope of Attorney-Client Privilege

By Stephanie L. Adler-Paindiris Jackson Lewis P.C. January 30 , 2023

In a per curiam opinion, the U.S. Supreme Court has dismissed the writ of certiorari granted in In re: Grand Jury, No. 21-1397, writing only that it was “improvidently granted.”

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

By Gretchen A. Ramos Greenberg Traurig January 26 , 2023

While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft.

Featured Stories
Closeclose
Search
Menu

Working...