September 30, 2022

Volume XII, Number 273

Advertisement

September 29, 2022

Subscribe to Latest Legal News and Analysis

September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

CFPB Warns Insufficient Data Security Measures May Violate Consumer Financial Protection Act

On Aug. 11, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) issued Circular 2022-04, (Circular) indicating that financial institutions and service providers that fail to adopt sufficient data security measures to protect consumer financial data may violate the Consumer Financial Protection Act (CFPA) provision prohibiting unfair acts and practices. The CFPB indicates that whether a financial institution’s security program is adequate under the CFPA is a fact-intensive question, but the agency does offer some basic examples of what it may consider required.

The CFPA prohibits unfair acts or practices, which are defined as an act or practice that:

  • causes or is likely to cause substantial injury to consumers,

  • is not reasonably avoidable by consumers, and

  • is not outweighed by countervailing benefits to consumers or competition.

The CFPB warns that inadequate data security measures that fail to protect consumer data can cause all three results, and that actual injury is not required to find an unfair or deceptive act. Additionally, a breach or intrusion is not necessary for the CFPB to find that a financial institution’s data security practices are unfair.

Specifically, the Circular provides three examples of data security measures that, if absent, may indicate a financial institution has inadequate data security measures. These include:

  • Multi-factor authentication (MFA)

  • Password management policies and practices

  • Timely software updates

These concepts will not be surprising to financial institutions if they already are subject to the Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule contains more specific and stringent data security requirements than those the CFPB recommends in the Circular. The CFPB notes that while the Safeguards Rule’s requirements may overlap with the standard set in the Circular, they are not coextensive. Financial institutions and service providers may wish to take steps to ensure compliance with both the Safeguards Rule and the CFPB’s new guidance.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 229
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Benjamin Saul Financial Compliance Attorney Greenberg Traurig Law Firm DC
Shareholder

Benjamin Saul is a shareholder in the firm’s Financial Regulatory and Compliance Practice. For two decades, Ben has handled high-stakes regulatory, enforcement, and litigation matters for corporate and individual clients in the consumer finance, specialty finance, fintech, and banking sectors. 

Ben has helped clients navigate dozens of contentious supervisory, enforcement, and litigation matters involving the Consumer Financial Protection Bureau (CFPB), and has been a leader in the private bar on CFPB matters since the Bureau’s inception in 2011...

202-331-3123
Kevin M. Scott Cybersecurity Attorney Greenberg Traurig Chicago
Shareholder

Kevin Scott counsels small and large entities, including merchants, medical providers, financial institutions, and educational institutions on the identification, evaluation, and management of first- and third-party data privacy and cybersecurity risks. Kevin advises on data privacy, cybersecurity breach response, and payment card industry standards and investigations. He has handled hundreds of breaches, often reducing public and regulatory scrutiny and protecting clients’ reputations. Kevin’s practice also includes advising clients on compliance with state, federal,...

312-456-1040
Jessica D. Pedersen Attorney Data Privacy Greenberg Traurig Chicago
Associate

Jessica Pedersen advises businesses on complex data privacy and cybersecurity issues. Jessica has experience counseling a diverse range of companies on compliance with both existing and emerging privacy and security laws, including the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In addition, she assists clients in preparing for and responding to cybersecurity threats, including designing data breach tabletop exercises, managing data breach response, and defending privacy and data breach litigation. Jessica also...

312-456-1001
Advertisement
Advertisement
Advertisement