New policy statement from the bureau addresses data security expectations for sensitive consumer information, including examples of when firms may be liable for insufficient security protocols.
08/11/2022 6:00 P.M.
5.5 minute read
The Consumer Financial Protection Bureau issued a circular on Aug. 11 asking and answering a question about the consequences of insufficient data protection or information security.
The question: Can financial services companies violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?
The CFPB’s answer: “Yes.”
In its new circular, the CFPB notes that in addition to other federal laws governing data security for financial institutions, “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA.
“Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12U.S.C. 5536(a)(1)(B),” the CFPB states.
An unfair act or practice is considered one: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) that is not outweighed by countervailing benefits to consumers or competition.
“For example, inadequate data security measures can cause significant harm to a few consumers who become victims of targeted identity theft as a result, or it can cause harm to potentially millions of consumers when there are large customer-base-wide data breaches,” according to the CFPB.
The circular provides examples of when the failure to implement data security measures might trigger a company’s liability under the CFPA, including:
- “Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the web authentication standard supported by web browsers.
- Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.
- Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.”
“We agree with the CFPB on the importance of protecting consumers’ sensitive information,” said ACA International CEO Scott Purcell. “While this is a ‘new’ circular stating the CFPB’s position on this topic as it relates to unfair practices, the FTC’s Safeguards Rule has been clear on the expectations for organizations operating under the broad financial institutions umbrella for some time. Data security, like other elements of a robust compliance management system, relies on regular risk assessments and mitigating risks with controls and procedures that reduce those risks to acceptable levels, along with other prescribed measures.”
What is a CFPB Circular?
In May, CFPB Director Rohit Chopra announced the bureau’s new enforcement strategy known as “Consumer Financial Protection Circulars.”
The circulars are “policy statements under the Administrative Procedure Act and will be released publicly to increase transparency for the benefit of the public and regulated entities,” according to the CFPB.
They are published on the CFPB website and in the Federal Register with Director Chopra’s authorization.
State and Federal Data Security Activity
2022 has been a busy year for the U.S. data privacy world. On the state level, five U.S. states now have comprehensive consumer privacy legislation in place: California, Connecticut, Colorado, Virginia and Utah.
On the federal level, companies engaged in consumer debt collection have until Dec. 9, 2022, to align their data protection programs with recent regulatory amendments to the Safeguards Rule.
First promulgated in 2002 under the Gramm-Leach-Bliley Act, the Safeguards Rule regulates the data privacy practices of financial institutions, which covers debt collectors and debt buyers as well as originating creditors.
ACA is also advocating for federal data privacy legislation that avoids creating a patchwork of requirements for regulated entities that may also conflict with existing regulations. The American Data Privacy and Protection Act, H.R. 8152, is the first comprehensive privacy proposal to gain bipartisan, bicameral support, according to a news release, and has been years in the making.
“ACA appreciates that the legislation is designed to preempt many state privacy laws because all Americans deserve to receive a uniform level of privacy protections,” said Purcell in a letter to co-sponsors U.S. Reps. Frank Pallone Jr., D-N.J., Cathy McMorris Rodgers, R-Wash., and U.S. Sen. Roger Wicker, R-Miss. “Nonetheless, there are specific exceptions contemplated in this legislation that will result in an unnecessary and complicated patchwork of privacy protections.”
ACA and its members comply with multiple data protection regulatory obligations on both the state and federal level, and ACA offers many resources to help members in this regard.
The Conference of State Bank Supervisors recently released two new tools for nonbank financial services companies to improve their cybersecurity exam procedures and practices: The Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program.
Reviewing these exam procedures and resources on cybersecurity provides useful insight into protecting consumer data and preparing for review by state regulators.
For additional data security tips, read this recent Collector magazine article.
ACA also offers two Core webinars on data security and privacy, which explore essential safeguards and strategies to develop a data security compliance program.
Note: Members who have purchased ACA’s All-Access Training Zone have access to all Core Curriculum and Hot Topic webinars, as well as past webinar recordings—no access code required.
Finally, it’s critical to make sure your cyber liability insurance is current. A cyber liability insurance policy is designed to protect you from lost income and cover defense fees your business may be required to pay as a result of a data breach.
Collectors Insurance Agency (CIA), a subsidiary of ACA International, provides members exclusive access to risk management products and services tailored to each members’ specific needs and is available at [email protected].
If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.