Bureau warns financial companies on data security

The CFPB has announced it has issued Consumer Financial Protection Circular 2022-04, Insufficient data protection or security for sensitive consumer information, confirming that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.

In its news release, the Bureau states, "Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act (CFPA) to address misconduct related to data security."

The circular provides examples of widely implemented data security practices, but does not suggest that particular practices are specifically required under the CFPA. There are also examples given where the failure to implement a data security measure might increase the risk that a firm might sustain liability under the CFPA. Some of the security practices listed include multi-factor authentication, adequate password management, and timely software updates.