CFPB Addresses Data Security Expectations for Financial Institutions
On August 11, 2022, the Consumer Financial Protection Bureau (CFPB) published a Circular stating that the failure of financial institutions, including nonbank financial firms such as fintech companies and credit reporting agencies, to adequately safeguard their customers’ personal data, may violate the Consumer Financial Protection Act (CFPA). The CFPA prohibits unfair, deceptive, and abusive acts or practices. Consistent with Director Chopra’s past statements, this Circular sends a clear signal that regulating nonbank financial firms’ data security practices remain a high priority for the agency. While the Circular largely lays out the minimum data security safeguards companies should employ, it leaves open the question of precisely what safeguards companies need in place to avoid running afoul of the CFPA’s prohibition on unfair practices.
Below, we provide a high-level summary of the Circular, as well as takeaways for financial institutions and how the guidance fits in to the larger data privacy landscape, in which the government has been repeatedly trying to judge the private sector to do more in the absence of mandates or prescriptive recommendations.
For more detailed analysis of the Circular or a consultation on data security obligations under the CFPA and related data security regulations, please contact Wiley’s Privacy, Cyber & Data Governance Team or any authors listed on this article.
Key Aspects of the CFPB’s Data Security Circular
As an initial matter, the Circular makes clear that an actual data breach is not a prerequisite for a company to violate the CFPA’s prohibition on unfair practices. Specifically, the CFPB states that a “significant risk of harm [of a breach]” due to “inadequate data security measures” is sufficient to satisfy the injury prong of the CFPA’s definition of an unfair act or practice. The CFPB thereafter lists several security safeguards that it labels as “reasonable cost-efficient measures to protect consumer data” whose implementation by companies presumptively “outweigh any purported countervailing benefits to consumers or competition.”
The security measures the CFPB specifically calls out as companies as needing are: (1) multi-factor authentication (MFA); (2) password management; and (3) timely software updates. However, as noted at the outset, in the CFPB’s view these security measures are merely the minimum level of security nonbank financial firms should have in place and do not necessarily mean that a company complies with the CFPA.
- The first security measure the CFPB addresses is covered companies’ implementation of MFA. The CFPB warns that, if a company has not implemented MFA for its employees (or a reasonably secure equivalent), the company is likely in violation of the CFPA. The CFPB likewise states that companies need to give consumers the option to use MFA for accessing their systems and accounts, or risk violating the CFPA.
- Next, the CFPB addresses password management, stating that a covered company that does not have adequate password management policies and practices risks liability under the CFPA. The CFPB further states that this includes companies’ failure to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notifying users when a password reset is required as a result) and includes use of default enterprise logins or passwords.
- Lastly, the CFPB posits that companies that “do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability” are potentially liable under the CFPA’s prohibition on unfair practices. The CFPB leaves its position open-ended and does not further elaborate on how often companies must update systems, software, or code to be compliant with the CFPA.
While the CFPA’s prohibition on unfair practices is fact-specific, the Circular signals that failing to implement common data security practices, including these three measures, increases the risk a covered company may be seen to violate the statute.
The Regulatory Landscape
In addition to the Circular’s interpretation that the CFPA requires MFA, password management, and timely software updates, the Circular also notes that companies providing consumer financial products and services must comply with the Safeguards Rule issued under the Gramm-Leach-Bliley Act, which requires nonbank financial institutions such as fintechs to protect consumer data. The Federal Trade Commission revised the Safeguards Rule in 2021 to require such financial institutions to implement specific data security safeguards. Among other things, the revised Safeguards Rule limits who can access customer information, requires the use of encryption, and requires the designation of a qualified individual to oversee an institution’s information security program and report at least annually to the company’s board of directors or equivalent governing body.
Looking Ahead
This is the latest move in a series of moves by the CFPB signaling that failing to adequately safeguard consumer information may violate the CFPA’s prohibition against unfair acts or practices. However, because the CFPB has still not adopted specific data security standards, this leaves open the question as to what constitutes adequate data security practices under the CFPA. Special attention should be paid to privacy and security enforcement actions and guidance across the federal government, to identify practices that regulators deem inadequate, questionable, or violative of standards.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently announced a “bad practices” initiative to identify practices that are “exceptionally risky, especially in organizations supporting Critical Infrastructure or NCFs. The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous.” The government is trying with such admonitions to encourage private sector activity in the absence of regulatory mandates, as explained in this blog post from CISA.
***
Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors to proactively address risks and compliance related to federal agency data security obligations. Please reach out to any of the authors with questions.