November 18, 2022
Stroock Client Alert
By: Allen H. Denson, Kingsley Nwamah
On August 11, 2022, the Consumer Financial Protection Bureau (the “Bureau”) published a circular regarding its position on the responsibilities of banks and financial service providers to safeguard consumer data (the “Circular”). In the Circular, the CFPB expressly stated that it is focused on potential misuse and abuse of personal financial data and that entities within the CFPB’s purview may be violating the Consumer Financial Protection Act (“CFPA”) by failing to implement adequate measures to protect against security incidents. While the CFPB did not state that certain data security practices are mandated by the CFPA, the Circular does outline the following examples of data security practices that it believes may protect consumer data: (1) multi-factor authentication; (2) adequate password management; and (3) timely software updates. The Bureau noted that a company’s failure to implement the aforementioned data security measures may expose it to liability under the Consumer Financial Protection Act.
In the Circular, the Bureau begins by noting that financial institutions are subject to various federal laws governing data security such as the Gramm-Leach-Bliley Act (GLBA), but those institutions also fall within the definition of “covered persons” and “service providers” under the CFPA and are required to comply with the statute’s prohibition on unfair acts or practices. The CFPA provides that an unfair act or practice is an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.[1] The Bureau made clear that a practice can cause substantial injury to a consumer when it causes “significant harm to a few consumers” or “a small amount of harm to many consumers.” In the eyes of the Bureau, even in the absence of a data breach, certain practices are likely to cause substantial injury if there are inadequate security measures employed to protect consumer data. The Bureau identified three reasonable measures that entities can undertake to protect consumer data.
The first measure identified in the Circular is the use of multi-factor authentication. The Bureau explained that multi-factor authentication is simply a security enhancement measure that requires credentials before an account can be accessed. The Bureau noted that if an entity in the Bureau’s purview does not offer multi-factor authentication, then the Bureau believes an entity would be liable under the CFPA since it is “unlikely” that it could demonstrate that the countervailing benefits to a consumer outweigh potential harm. The second measure identified in the Circular is the utilization of adequate password management policies and practices to protect consumers in light of the risk to consumers when policies are not in place to monitor for breaches at other service providers where login information and password may be reused—especially in light of the fact that username and password combinations can be sold on the dark web or freely posted online. The third and final measure identified in the Circular is the utilization of the software updates (i.e., patches) to address security vulnerabilities with a product. The Bureau noted that once software updates are released, the public, including hackers, learn of software vulnerabilities, which potentially expose the financial information of customers.
In the Circular, the Bureau cited to precedent related to the failure of various entities that violated the CFPA’s prohibition on unfair acts or practices. Notably, the CFPB cited to its July 2019 complaint against Equifax, stemming from Equifax’s 2017 data breach. The Bureau noted that Equifax violated the prohibition on unfairness by utilizing software with a widely known vulnerability and failing to update the software to address the vulnerability for over four months.
The Circular is significant because it highlights the Bureau’s commitment to addressing how consumer financial data is handled by financial firms and suggests how the Bureau might approach its recently-announced rule on personal financial data rights.[2] Moreover, it underscores that even while a rulemaking is pending, the Bureau intends to use its unfairness authority to address perceived data security shortcomings through enforcement.
[1] 12 U.S.C. § 5531(c).
[2] https://www.consumerfinance.gov/about-us/newsroom/cfpb-kicks-off-personal-financial-data-rights-rulemaking/
November 18, 2022
Stroock Client Alert
By: Allen H. Denson, Kingsley Nwamah
On August 11, 2022, the Consumer Financial Protection Bureau (the “Bureau”) published a circular regarding its position on the responsibilities of banks and financial service providers to safeguard consumer data (the “Circular”). In the Circular, the CFPB expressly stated that it is focused on potential misuse and abuse of personal financial data and that entities within the CFPB’s purview may be violating the Consumer Financial Protection Act (“CFPA”) by failing to implement adequate measures to protect against security incidents. While the CFPB did not state that certain data security practices are mandated by the CFPA, the Circular does outline the following examples of data security practices that it believes may protect consumer data: (1) multi-factor authentication; (2) adequate password management; and (3) timely software updates. The Bureau noted that a company’s failure to implement the aforementioned data security measures may expose it to liability under the Consumer Financial Protection Act.
In the Circular, the Bureau begins by noting that financial institutions are subject to various federal laws governing data security such as the Gramm-Leach-Bliley Act (GLBA), but those institutions also fall within the definition of “covered persons” and “service providers” under the CFPA and are required to comply with the statute’s prohibition on unfair acts or practices. The CFPA provides that an unfair act or practice is an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.[1] The Bureau made clear that a practice can cause substantial injury to a consumer when it causes “significant harm to a few consumers” or “a small amount of harm to many consumers.” In the eyes of the Bureau, even in the absence of a data breach, certain practices are likely to cause substantial injury if there are inadequate security measures employed to protect consumer data. The Bureau identified three reasonable measures that entities can undertake to protect consumer data.
The first measure identified in the Circular is the use of multi-factor authentication. The Bureau explained that multi-factor authentication is simply a security enhancement measure that requires credentials before an account can be accessed. The Bureau noted that if an entity in the Bureau’s purview does not offer multi-factor authentication, then the Bureau believes an entity would be liable under the CFPA since it is “unlikely” that it could demonstrate that the countervailing benefits to a consumer outweigh potential harm. The second measure identified in the Circular is the utilization of adequate password management policies and practices to protect consumers in light of the risk to consumers when policies are not in place to monitor for breaches at other service providers where login information and password may be reused—especially in light of the fact that username and password combinations can be sold on the dark web or freely posted online. The third and final measure identified in the Circular is the utilization of the software updates (i.e., patches) to address security vulnerabilities with a product. The Bureau noted that once software updates are released, the public, including hackers, learn of software vulnerabilities, which potentially expose the financial information of customers.
In the Circular, the Bureau cited to precedent related to the failure of various entities that violated the CFPA’s prohibition on unfair acts or practices. Notably, the CFPB cited to its July 2019 complaint against Equifax, stemming from Equifax’s 2017 data breach. The Bureau noted that Equifax violated the prohibition on unfairness by utilizing software with a widely known vulnerability and failing to update the software to address the vulnerability for over four months.
The Circular is significant because it highlights the Bureau’s commitment to addressing how consumer financial data is handled by financial firms and suggests how the Bureau might approach its recently-announced rule on personal financial data rights.[2] Moreover, it underscores that even while a rulemaking is pending, the Bureau intends to use its unfairness authority to address perceived data security shortcomings through enforcement.
[1] 12 U.S.C. § 5531(c).
[2] https://www.consumerfinance.gov/about-us/newsroom/cfpb-kicks-off-personal-financial-data-rights-rulemaking/
