| Entities | |
| Topics and Issues | Data Security (4) |
In August 2022, the CFPB issued a press release and circular on data security. The Bureau announced that it has “confirmed in a circular published today that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.” The official document is Consumer Financial Protection Circular 2022-04 where the Bureau answers the question “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?” Here, naturally, the Bureau said yes. “In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B). While these requirements often overlap, they are not coextensive.”
Out of all the breaches that the Bureau could have highlighted in its press release, it highlighted just one — Equifax. The release noted that “[p]ast data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security.”
As noted by the press release, the circular
also provides examples of widely implemented data security practices. The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act, including:
-
- Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.
- Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.
- Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.
A CFPB circular is a document that is
issued to all parties with authority to enforce federal consumer financial law. [While the CFPB] is the principal federal regulator responsible for administering federal consumer financial law…these laws are also enforced by state attorneys general and state regulators…and [federal] prudential regulators…In addition, some of these laws provide for private enforcement.
[CFPB] Circulars are intended to promote consistency in approach across the various enforcement agencies and parties, pursuant to the CFPB’s statutory objective to ensure federal consumer financial law is enforced consistently [and they] are also intended to provide transparency to partner agencies regarding the CFPB’s intended approach when cooperating in enforcement actions[, for example, in] consultation with CFPB by state attorneys general and regulators[, and] joint investigatory work between CFPB and other agencies…
[CFPB] Circulars are general statements of policy under the Administrative Procedure Act…They provide background information about applicable law, articulate considerations relevant to the Bureau’s exercise of its authorities, and, in the interest of maintaining consistency, advise other parties with authority to enforce federal consumer financial law. They do not restrict the Bureau’s exercise of its authorities, impose any legal requirements on external parties, or create or confer any rights on external parties that could be enforceable in any administrative or civil proceeding. The CFPB Director is instructing CFPB staff as described herein, and the CFPB will then make final decisions on individual matters based on an assessment of the factual record, applicable law, and factors relevant to prosecutorial discretion.