The Consumer Financial Protection Bureau (“CFPB”) published Circular 2022-04 on August 11, 2022 which confirmed that financial institutions may violate the prohibition on unfair acts or practices under the Consumer Financial Protection Act (“CFPA”) by having insufficient data protection or information security.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common-sense steps to protect personal financial data.”
The circular provides that under the CFPA an unfair act or practice would be one that (1) causes or is likely to cause substantial injury to consumers, (2) is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition. Additionally, an actual injury is not required to prove an unfair act or practice under the CFPA. Examples of data security practices which are widely used to protect consumer data are provided in the Circular.
Further, three examples of data security measures which are indicated to reduce the likelihood of a violation of unfair act or practices include multi-factor authentication, password management policies and practices, and timely software updates. Not using these types of security measures may indicate a financial institution has inadequate data protection.
Circulars are a new tool being used by the CFPB to provide supervisory guidance on individual topics. For more information on this type of guidance, see our prior article here.
