August 12, 2022

CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • The lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

On August 11, the CFPB published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA's prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but "[w]hile these requirements often overlap, they are not coextensive." This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, (3) where the substantial injury is not outweighed by countervailing benefits to consumers or competition. The CFPB explained that inadequate data security measures can cause substantial injury, such as significant harm to a few consumers who become the victims of targeted identity theft or harm to potentially millions of consumers in the event of large customer-base-wide data breaches. The agency stressed that actual injury is not required to meet the substantial injury prong, as a significant risk of harm is also sufficient. This means that even practices that are merely likely to cause substantial injury, such as inadequate data security measures that have not yet resulted in a data breach, can still satisfy this prong of unfairness.

With respect to the second prong of unfairness, the CFPB explained that consumers are unable to reasonably avoid the harms caused by a firm's data security failures as they typically do not know whether appropriate security measures are properly implemented, do not control an entity's security measures, and lack practical means to reasonably avoid harms resulting from data security failures. As for the final prong, the CFPB noted that where companies forgo reasonable cost-efficient measures to protect consumer data, the agency expects the risk of substantial injury to consumers to outweigh any purported countervailing benefits to consumers or competition.

The circular also highlighted a number of data security-related cases brought by the FTC, wherein the agency alleged violations of its analogous prohibition against unfair practices under the FTC Act in connection with inadequate authentication practices, poor password management, failure to remediate known software security vulnerabilities, and other deficient data security practices.

The CFPB provided the following examples of conduct that increase the risk of triggering liability under the CFPA:

  • Not requiring multi-factor authentication for employees or not offering multi-factor authentication as an option for consumers accessing systems and accounts, or failing to implement a reasonably secure equivalent.
  • Not having adequate password management policies and practices. This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords, and using default enterprise logins or passwords.
  • Not routinely updating systems, software, and code or failing to update them when notified of a critical vulnerability. This includes using versions of software no longer actively maintained by vendors and not keeping track of which systems depend on what software to ensure that software is up to date. The CFPB highlighted its complaint against Equifax over the consumer reporting agency's 2017 data breach. The CFPB alleged that Equifax violated the CFPA's prohibition on unfair acts or practices by, among other things, failing to patch a known vulnerability for more than four months, which resulted in hackers gaining access to Equifax's system and obtaining the personal information of millions of consumers.

The CFPB stressed that the prohibition on unfair practices is fact-specific and that the circular does not suggest that particular security practices are specifically required under the CFPA. Nonetheless, the CFPB is sending clear signals that it intends to use UDAAP to enforce certain standards for data security, notwithstanding that the CFPB has never adopted any substantive rules in this area prescribing particular data security practices. Financial companies and their service providers should review their information security programs and take care to implement common data security measures—such as multi-factor authentication, adequate password management, and timely software updates—to help minimize the risk of an unfairness violation.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

Featured Stories