HB Ad Slot
HB Mobile Ad Slot
CFPB Warns Insufficient Data Security Measures May Violate Consumer Financial Protection Act
Wednesday, August 17, 2022

On Aug. 11, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) issued Circular 2022-04, (Circular) indicating that financial institutions and service providers that fail to adopt sufficient data security measures to protect consumer financial data may violate the Consumer Financial Protection Act (CFPA) provision prohibiting unfair acts and practices. The CFPB indicates that whether a financial institution’s security program is adequate under the CFPA is a fact-intensive question, but the agency does offer some basic examples of what it may consider required.

The CFPA prohibits unfair acts or practices, which are defined as an act or practice that:

  • causes or is likely to cause substantial injury to consumers,

  • is not reasonably avoidable by consumers, and

  • is not outweighed by countervailing benefits to consumers or competition.

The CFPB warns that inadequate data security measures that fail to protect consumer data can cause all three results, and that actual injury is not required to find an unfair or deceptive act. Additionally, a breach or intrusion is not necessary for the CFPB to find that a financial institution’s data security practices are unfair.

Specifically, the Circular provides three examples of data security measures that, if absent, may indicate a financial institution has inadequate data security measures. These include:

  • Multi-factor authentication (MFA)

  • Password management policies and practices

  • Timely software updates

These concepts will not be surprising to financial institutions if they already are subject to the Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule contains more specific and stringent data security requirements than those the CFPB recommends in the Circular. The CFPB notes that while the Safeguards Rule’s requirements may overlap with the standard set in the Circular, they are not coextensive. Financial institutions and service providers may wish to take steps to ensure compliance with both the Safeguards Rule and the CFPB’s new guidance.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins