CFPB circular addresses potential misuse of personal financial data


The Consumer Financial Protection Bureau (CFPB) confirmed in a circular issued today that financial firms can violate federal consumer financial protection law when they fail to protect consumer data. The circular provides guidance for consumer protection officials, including examples of where companies can be held liable for lax data security protocols.

“Financial companies that cut corners on data security expose their customers to the risk of identity theft, fraud and abuse,” CFPB Director Rohit Chopra said. “While many non-banking companies and fintech providers have not been carefully monitored for the security of their data, they risk legal liability if they fail to take common sense steps to protect personal financial data.”

The CFPB puts more emphasis on the potential misuse of personal financial data. As part of these efforts, the CFPB circular explains how and when companies can breach the Consumer Financial Protection Act regarding data security. Specifically, financial companies risk violating financial consumer protection law if they do not have adequate measures in place to protect against data security incidents.

Past data security incidents, including the 2017 Equifax data breach, have led to the collection of sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB accused Equifax of violating the Consumer Financial Protection Act to address data security wrongdoing.

Today’s circular also provides examples of widely implemented data security practices. The Circular does not suggest that any particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes a few examples where failure to implement the following data security measures could increase the risk of a company’s conduct engaging liability under consumer financial protection law, including:

  • Multi-factor authentication: Multi-factor authentication dramatically increases the level of difficulty for adversaries to compromise corporate user accounts and thus gain access to sensitive customer data. Multi-factor authentication can protect against phishing of credentials, such as those using the web authentication standard supported by web browsers.
  • Proper password management: Unauthorized use of passwords is a common data security issue, as is the use of default corporate logins or passwords. Username and password combinations can be sold on the dark web or published on the Internet for free, creating the risk of future breaches. For companies that still use passwords, password management policies and practices help monitor breaches in other entities where employees can reuse logins and passwords.
  • Timely software updates: Software vendors and creators, including software libraries and open source projects, often send out patches and other updates to deal with constantly emerging threats. As soon as these updates to address vulnerabilities are announced, hackers immediately realize that companies using older versions of software are potential targets for exploitation. Protocols for immediately updating software and patching vulnerabilities once they become public knowledge can reduce vulnerabilities.

To read in full Circular on consumer financial protection on data security, Click here.


Comments are closed.