CFPB Says Firms Face Liability for Failing to Protect Consumer Data
The CFPB warned that financial institutions and their service providers can be held liable for maintaining insufficient data protection or information security.
In Consumer Financial Protection Circular 2022-04, the CFPB stated that "inadequate security for the sensitive consumer information collected, processed, maintained or stored by [a] company can constitute an unfair practice[,]" and that "financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition." The CFPB added that inadequate data protection can be considered a violation of law even in the absence of a data-compromising or consumer-harming event. The circular follows the FTC's 2021 implementation of its Safeguards Rule under section 501(b) of the Gramm-Leach-Bliley Act, which included significant updates concerning information security measures required to be taken by certain nonbank financial institutions (see previous coverage).
The CFPB highlighted several "reasonable cost-efficient" data protection measures that should be implemented to reduce (i) the risk of a data breach or cyber intrusion and (ii) the liability under the Consumer Financial Protection Act's prohibition against unfair acts or practices. First, the CFPB urged the use of multi-factor authentication which "greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data." Second, the CFPB mandated better password management, including monitoring for password breaches and instances where employees reuse login information, and prohibiting the use of default usernames and passwords. Further, the CFPB stated that financial institutions and service providers should regularly update security software to lessen the likelihood that hackers can expose vulnerabilities in security systems.
Available only to Premium subscribers.