In August 2022, the Consumer Financial Protection Bureau (CFPB) published a circular confirming that, under certain circumstances, entities may “violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security.” The circular sets forth the CFPB’s analysis of relevant laws governing data security for financial institutions and provides several examples where a failure to implement certain data security measures may increase the risk that an entity’s conduct triggers liability under the CFPA.
The CFPB states in the circular that inadequate security for the protection of sensitive consumer information collected, processed, maintained, or stored by “covered persons” and “service providers” can constitute an unfair practice in violation of the CFPA, 12 U.S.C. § 5536(a)(1)(B). The CFPA defines an unfair act or practice as an act or practice (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition. See 12 U.S.C. § 5531(c). According to the CFPB, inadequate security measures are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. The CFPB also specifies that inadequate data security can be an unfair practice even in the absence of a breach or intrusion, and that actual injury is not required to satisfy the first prong of the unfair act or practice standard set forth above.
The CFPB describes three examples of common data security practices which, if not implemented by financial institutions, will typically meet the first two elements of the unfairness standard described above. Specifically, if a covered person or service provider does not implement these specified security measures, it is unlikely that they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability under the CFPA.
- Multi-Factor Authentication. Multi-factor authentication is a security enhancement that requires multiple credentials (or factors) before an account can be accessed. The CFPB suggests that covered persons and service providers offer multi-factor authentication as an option for consumers accessing systems and accounts, as multi-factor authentication increases the level of difficulty for adversaries to compromise user accounts and gain access to sensitive customer data.
- Adequate Password Management. Username and password combinations can be sold on the dark web or posted for free on the internet, which can be used to access not just the accounts in question, but other accounts held by the consumer or employee. Covered persons or service providers should have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notifying users when a password reset is required as a result).
- Timely Software Updates. Software vendors regularly update software to address security vulnerabilities within a program or product. When companies use commonly available software, including open-source software and open-source libraries, and do not install updates that have been released for that software or take other mitigating steps if patching is not possible, they neglect to fix a security vulnerability that has become widely known.
The press release accompanying the circular quotes CFPB Director Rohit Chopra stating that “[f]inancial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse.” The circular makes clear that the CFPB intends to increase its enforcement efforts toward the potential misuse and abuse of personal financial data. Financial institutions should consider implementing the security measures expressly identified by the CFPB, and others, to ensure that sensitive consumer data remains protected.