CFPB States Data Security Practices Are Under CFPA Purview

Written By Haley Metteauer

On August 11, 2022, the Consumer Financial Protection Bureau (“CFPB”) published a Circular stating “[i]nadequate security for the sensitive consumer information collected, processed, maintained, or stored by … [a] company can constitute an unfair practice” under the Consumer Financial Protection Act (“CFPA”).

According to the CFPB, insufficient security of data maintained or exchanged by an organization is “likely to cause substantial injury to consumers,” such as data breaches —although, the CFPB clarified that an actual breach is not a prerequisite to deeming a practice unfair — “cyberattacks, exploits, ransomware attacks and other exposure of consumer data.” These injuries are “not reasonably avoidable or outweighed by countervailing benefits to consumers or competition.” In the absence of a breach, inadequate data security can be an unfair practice.

In the circular, the CFPB supports this determination with citing the balancing test required by the third Unfair, Deceptive, or Abusive Acts or Practices (“UDAAP”) prong and caselaw relating to “instances in which data management practices were evaluated in reference to the FTC’s prohibition on unfair acts or practices.”

Pursuant to this determination, the CFPB provided the below steps that financial institutions can take to protect the consumer data that they maintain or exchange. The CFPB makes clear that an entity that fails to comply with these steps would be unlikely to “demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability.”

Recommended steps include:

  1. Implement multi-factor authentication (“MFA”), especially “MFA solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.”

  2. Utilize adequate password management policies and practices to avoid “a common data security issue.”

  3. Engage in timely software updates to “address security vulnerabilities within a program or product.”

Haley Metteauer
Previous

SIFMA Encourages NYDFS to Amend its Pre-Proposal For Financial Institution Cybersecurity Requirements
Next

Federal Reserve Board Publishes Annual Cybersecurity and Financial System Reliance Report