CFPB circular: Protect consumer data or civil liability – Financial services

To print this article, all you need to do is be registered or log in to

On August 11, the CFPB issued a circular clarifying liability under the Consumer Financial Protection Act for banking and non-banking financial companies that fail to protect consumer data. The circular outlines how companies can violate the CFPA’s prohibition on unfair acts or practices with respect to the processing of consumer data by failing to implement adequate measures to protect against data security incidents. These data security incidents can cause significant damage to a few consumers (who, for example, experience targeted identity theft after a breach) or can cause damage to many consumers in the event of large-scale breaches. at the customer level. . The circular includes specific examples for reference.

The CFPB outlines several data security measures and practices that, if not implemented, can increase or trigger liability:

  • Multi-factor authentication. Clearly a growing regulatory expectation, the CFPB makes it clear that MFA significantly reduces the possibility of compromised user accounts and unauthorized access to sensitive customer information.

  • Proper password management. Unauthorized use of passwords and/or the use of default logins or passwords is a common data security issue, and password management policies are a simple and effective way to monitor violations in other entities where employees or others may reuse usernames and passwords. .

  • Timely software updates to address known vulnerabilities. For example, once a software vendor or creator releases a patch or announces an update intended to fix a vulnerability, it is imperative to implement those updates; otherwise, the older version of the software is a potential target for hackers to exploit.

Put into practice : The circular’s measures are not new to banks and other financial institutions subject to the Gramm-Leach-Bliley Act. For companies under the authority of the CFPB, in particular, it should be noted that the agency continues to use its UDAAP enforcement authority to set new standards for financial companies – this time for data protection or insufficient information security (we have discussed a similar trend in previous blog posts here and here). To help minimize the risk of an unfair breach, financial firms and their vendors should ensure that they implement and regularly test robust security measures.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Finance and Banking of the United States

Schumer-Manchin deal moves forward

Norton Rose Fulbright US LLP

The tax fairness market will be different if the surprise deal that Senate Majority Leader Chuck Schumer struck yesterday with Democrats…

The CFPB focuses on the law on civil aid to the military

McGlinchey Stafford

Continuing a recent trend of highlighting Potentially Unfair and Deceptive Acts or Practices (UDAAPs) within the auto lending services industry, the Consumer Financial Protection Bureau (CFPB) recently released a new blog post focusing on the Civil Relief Members Act (SCRA).