The CFPB has published a Consumer Financial Protection Circular (Circular) (2022-04) that makes clear insufficient data protection or security for sensitive consumer information may violate the prohibition on unfair acts or practices under the Consumer Financial Protection Act (CFPA).
This Circular does not have any impact on federal laws that currently govern data security for financial institutions, such as the Safeguards Rule under the Gramm-Leach-Bliley Act, but adds an additional layer of concern for financial institutions. Under the CFPA, covered persons and service providers must comply with prohibitions on unfair, deceptive, or abusive acts or practices (UDAAP). In this Circular, the CFPB states that “inadequate security for sensitive information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of the CFPA.” An unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers; (2) which is not reasonably avoidable by consumers; and (3) is not outweighed by countervailing benefits to consumers or competition.
The CFPB details how inadequate data security can meet this three-prong test. As to the first prong, failure to comply with requirements found in the Safeguards Rule or failure to employ adequate data security measures can cause and has caused significant harm to consumers. The CFPB goes further and states that actual injury is not required to satisfy this first prong of the analysis, but that a significant risk of harm is also sufficient. The second prong is met because consumers are unable to reasonably avoid harms caused by a company’s failure to secure data thus satisfying the second prong. Finally, the CFPB states that it is unaware of any case where a court has found that the harm caused by poor data security practices is outweighed by countervailing benefits to consumers or competition, meeting the third prong of the test.
This analysis is not totally unexpected. In past years, we have seen the CFPB and the Federal Trade Commission (FTC) file complaints alleging UDAAP/UDAP violations for data breaches. Most well known are the complaints against Equifax, alleging Equifax used software that contained a known vulnerability and did not patch the vulnerability promptly. Other UDAP actions by the FTC alleged inadequate authentication procedures and password management failures.
Based on this precedent, the CFPB gives three examples of practices that will likely trigger liability for UDAAP violations:
· Failure to require or offer multi-factor authentication for employees or consumers, or something reasonably equivalent.
· Failure to have adequate password management policies and practices, including failing to have processes in place to monitor for breaches at other entities that may be re-using logins and passwords.
· Failure to routinely update systems, software, and code or a failure to update when notified of a critical vulnerability. This includes using versions of software that are no longer actively maintained by a vendor.
If you have any questions relating to this Circular, please contact our office.