On August 11, 2022, the CFPB published a circular confirming that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols. According to the CFPB, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.

In addition to potential breaches, the CFPB’s circular on data security also provides examples of widely implemented data security practices. Although the following data security measures are not mandated by the regulations, failure to implement them might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act. These include:

• Multi-factor Authentication. This security measure significantly increases the level of difficulty for adversaries to gain access to sensitive customer data. It also protects against credential phishing.

• Adequate Password Management. Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.

• Timely Software Updates. Software vendors and creators often send out patches and other updates to address continuously emerging threats. Hackers can immediately become aware that firms using older versions of software are potential targets to exploit. Thus, protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.

The CFPB’s press release can be found here.

The CFPB’s circular on data security can be found here.