September 30, 2022

Volume XII, Number 273

Advertisement

September 29, 2022

Subscribe to Latest Legal News and Analysis

September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

CFPB Circular: Safeguard Consumer Data or Face Liability

On August 11, the CFPB published a circular clarifying liability under consumer financial protection law for bank and nonbank financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. These data security incidents may lead to significant harm to a few consumers—who, for example, become victims of targeted identify theft after a breach—or may lead to harm of many consumers in the event of large scale, customer-base-wide breaches. The circular includes specific examples for reference.

The CFPB outlines several data security measures and practices which, if not implemented, may increase or trigger liability:

  • Multi-factor authentication. Clearly a growing regulatory expectation, the CFPB makes clear its view that MFA significantly reduces the possibility of compromised user accounts and unauthorized access to sensitive customer information.

  • Adequate password management. The unauthorized use of passwords and/or use of default logins or passwords represents a common data security issue, and password management policies are a simple and effective way to monitor for breaches at other entities where employees or others may be re-using usernames and passwords.

  • Timely software updates to address known vulnerabilities. For instance, once a software vendor or creator sends out a patch or announces an update meant to address a vulnerability, it is imperative to implement these updates; otherwise, the older version of the software is a potential target for hackers to exploit.

Putting It Into Practice: The measures in the circular are not new to banks and other financial institutions subject to the Gramm-Leach-Bliley Act. For companies under the CFPB’s authority, in particular, it’s worth noting that the agency continues to use its UDAAP enforcement authority to set new standards for finance companies – this time for insufficient data protection or information security (we discussed a similar trend in previous blog posts here and here). To help minimize the risk of an unfairness violation, financial companies and their vendors should ensure that they implement and routinely test robust security measures.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 230
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Moorari Shah Bankruptcy Lawyer Sheppard Mullin Law Firm
Partner

Moorari Shah is a partner in the Finance and Bankruptcy Practice Group in the firm's Los Angeles and San Francisco offices. 

Areas of Practice

Moorari combines deep in-house and law firm experience to deliver practical, business-minded legal advice. He represents banks, fintechs, mortgage companies, auto lenders, and other nonbank institutions in transactional, licensing, regulatory compliance, and government enforcement matters covering mergers and acquisitions, consumer and commercial lending, equipment finance and leasing, and supervisory examinations,...

213-617-4171
A.J. S. Dhaliwal Bankruptcy Attorney Sheppard Mullin Washington DC
Associate

A.J. is an associate in the Finance and Bankruptcy Practice Group in the firm's Washington, D.C. office. 

A.J. has over a decade of experience helping banks, non-bank financial institutions, and other companies providing financial products and services in a wide range of matters including government enforcement actions, civil litigation, regulatory examinations, and internal investigations.

With a diversified regulatory, compliance, and enforcement background, A.J. counsels financial institutions in matters involving...

202-747-2323
Katie Daw Government Investigations Attorney Sheppard Mullin Law Firm
Associate

Katie’s practice focuses on government investigations into antitrust and competition issues and antitrust litigation.

Prior to joining the firm, Katie completed internships with United States Senator Dianne Feinstein and with United Kingdom Member of Parliament Graham Allen, for whom she conducted nutritional poverty research and drafted initiatives. She also served as a law clerk for the Baltimore Police Department, where she focused on compliance with the city’s consent decree entered into with the Department of Justice.  

202-747-2191
Advertisement
Advertisement
Advertisement