CFPB Warns Insufficient Data Security Measures May Violate Consumer Financial Protection Act
Free Article Limit This Month
On Aug. 11, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) issued Circular 2022-04, (Circular) indicating that financial institutions and service providers that fail to adopt sufficient data security measures to protect consumer financial data may violate the Consumer Financial Protection Act (CFPA) provision prohibiting unfair acts and practices. The CFPB indicates that whether a financial institution's security program is adequate under the CFPA is a fact-intensive question, but the agency does offer some basic examples of what it may consider required.
The CFPA prohibits unfair acts or practices, which are defined as an act or practice that:
- causes or is likely to cause substantial injury to consumers,
- is not reasonably avoidable by consumers, and
- is not outweighed by countervailing benefits to consumers or competition.
The CFPB warns that inadequate data security measures that fail to protect consumer data can cause all three results, and that actual injury is not required to find an unfair or deceptive act. Additionally, a breach or intrusion is not necessary for the CFPB to find that a financial institution's data security practices are unfair.
Specifically, the Circular provides three examples of data security measures that, if absent, may indicate a financial institution has inadequate data security measures. These include:
- Multi-factor authentication (MFA)
- Password management policies and practices
- Timely software updates
These concepts will not be surprising to financial institutions if they already are subject to the Federal Trade Commission's Safeguards Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule contains more specific and stringent data security requirements than those the CFPB recommends in the Circular. The CFPB notes that while the Safeguards Rule's requirements may overlap with the standard set in the Circular, they are not coextensive. Financial institutions and service providers may wish to take steps to ensure compliance with both the Safeguards Rule and the CFPB's new guidance.
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.