On August 11, the CFPB published a circular clarifying liability under consumer financial protection law for bank and nonbank financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. These data security incidents may lead to significant harm to a few consumers—who, for example, become victims of targeted identify theft after a breach—or may lead to harm of many consumers in the event of large scale, customer-base-wide breaches. The circular includes specific examples for reference.

The CFPB outlines several data security measures and practices which, if not implemented, may increase or trigger liability:

  • Multi-factor authentication. Clearly a growing regulatory expectation, the CFPB makes clear its view that MFA significantly reduces the possibility of compromised user accounts and unauthorized access to sensitive customer information.
  • Adequate password management. The unauthorized use of passwords and/or use of default logins or passwords represents a common data security issue, and password management policies are a simple and effective way to monitor for breaches at other entities where employees or others may be re-using usernames and passwords.
  • Timely software updates to address known vulnerabilities. For instance, once a software vendor or creator sends out a patch or announces an update meant to address a vulnerability, it is imperative to implement these updates; otherwise, the older version of the software is a potential target for hackers to exploit.

Putting It Into Practice: The measures in the circular are not new to banks and other financial institutions subject to the Gramm-Leach-Bliley Act. For companies under the CFPB’s authority, in particular, it’s worth noting that the agency continues to use its UDAAP enforcement authority to set new standards for finance companies – this time for insufficient data protection or information security (we discussed a similar trend in previous blog posts here and here). To help minimize the risk of an unfairness violation, financial companies and their vendors should ensure that they implement and routinely test robust security measures.