The Consumer Financial Protection Bureau (“CFPB”) recently issued Consumer Financial Protection Circular 2022-04, confirming its increased focus on financial companies that violate federal consumer financial protection law when they fail to safeguard consumer data and warned the industry against shoddy data protection practices. The circular posed this broader question to the industry: Can an entity be cited for a violation of the prohibition on unfair acts or practices in the Consumer Financial Protection Act (“CFPA”) when it has insufficient data protection or information security? The circular raised two important issues which are:

1. In addition to the Safeguard Rules issued under the Gramm-Leach-Bliley Act (“GLBA”), “covered persons” and “service providers” must also comply with Consumer Financial Protection Act (“CFPA”) in the protection of sensitive consumer information, such that they two are not “coextensive” of overlapping requirements; and

2. Insufficient information security controls to protect the personal data of customers can be deemed a violation of the unfair acts or practices prohibitions of CFPA – even in absence of consumer harm or a breach. 

This circular is another indication of the CFPB increasing scrutiny of companies’ mishandling of consumers’ financial data. Chopra has previously warned of the erosion of consumer privacy and encouraged states to strengthen legal frameworks to protect consumer data in credit reporting and digital payment platforms.

The guidance included examples of when entities can be held liable for data security violations under CFPA. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.” 

The CFPB highlights previous security incidents where financial companies were penalized for data breaches. As an example, the circular referenced the Bureau’s 2019 penalty against Equifax Inc. for a 2017 data leak of the personal data of millions of Americans due to a “failure to provide reasonable security for sensitive personal information it collected, processed, maintained, or stored within computer networks.” The circular also cited law enforcement actions related to inadequate authentication under the Federal Trade Committee’s (“FTC”) GLBA prohibition of unfair practices related to data security deficiencies. While the examples of common enhanced security practices are not mandated, the circular lists multifactor authentication, adequate password management, and timely software updates as helpful to increasing consumer data protection.