August 12, 2022

CFPB Says Firms Face Liability for Failing to Protect Consumer Data

Michael A. Kleinman Commentary by Michael A. Kleinman

The CFPB warned that financial institutions and their service providers can be held liable for maintaining insufficient data protection or information security.

In Consumer Financial Protection Circular 2022-04, the CFPB stated that "inadequate security for the sensitive consumer information collected, processed, maintained or stored by [a] company can constitute an unfair practice[,]" and that "financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition." The CFPB added that inadequate data protection can be considered a violation of law even in the absence of a data-compromising or consumer-harming event. The circular follows the FTC's 2021 implementation of its Safeguards Rule under section 501(b) of the Gramm-Leach-Bliley Act, which included significant updates concerning information security measures required to be taken by certain nonbank financial institutions (see previous coverage).

The CFPB highlighted several "reasonable cost-efficient" data protection measures that should be implemented to reduce (i) the risk of a data breach or cyber intrusion and (ii) the liability under the Consumer Financial Protection Act's prohibition against unfair acts or practices. First, the CFPB urged the use of multi-factor authentication which "greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data." Second, the CFPB mandated better password management, including monitoring for password breaches and instances where employees reuse login information, and prohibiting the use of default usernames and passwords. Further, the CFPB stated that financial institutions and service providers should regularly update security software to lessen the likelihood that hackers can expose vulnerabilities in security systems.


The circular makes clear that the failure to implement "common security practices" - such as (i) requiring multifactor authentication for employees and making it available as an option for consumers; (ii) establishing password management policies and practices, including proactive password breach monitoring of the dark web and remediation; and (iii) patching management practices that include maintaining IT asset inventories and replacing unsupported software - will presumptively violate the CFPA's prohibition on unfair practices, even in the absence of a data breach or cyber incident.

Email me about this

Premium Content

Available only to Premium subscribers.