The CFPB recently published a circular clarifying liability under consumer financial protection law for financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. According to the CFPB. in the event of large scale, customer-base-wide breaches, consumers may become victims of targeted identify theft.

The CFPB outlines several data security measures and practices which, if not implemented, may increase or trigger liability:

  • Multi-factor authentication that reduces the possibility of compromised user accounts and unauthorized access to sensitive customer information.
  • Adequate password management to monitor for breaches where employees or others may be re-using usernames and passwords.
  • Timely software updates to address known vulnerabilities once a software vendor or creator sends out a patch or announces an update.

Putting It Into Practice: The measures in the circular are not new to banks and other financial institutions subject to the Gramm-Leach-Bliley Act. For companies under the CFPB’s authority, in particular, it’s worth noting that the agency continues to use its enforcement authority to set new standards for finance companies – this time for insufficient data protection or information security (our sister blog discussed a similar trend in previous blog posts here and here). To help minimize the risk of an unfairness violation, financial companies and their vendors should ensure that they implement and routinely test robust security measures.