Insufficient Security for Sensitive Consumer Data
In CFPB Consumer Financial Protection Circular 2022 the CFPB addressed whether entities can violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security.
In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an UNFAIR PRACTICE in violation of 12 U.S.C. 5536(a)(1)(B). While these requirements often overlap, they are not coextensive.
Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.
Safeguards, among other things, limit who can access customer information, require the use of encryption to secure such information, and require the designation of a single qualified individual to oversee an institution’s information security program and report at least annually to the institution’s board of directors or equivalent governing body.
Actual injury is not required. A significant risk of harm is also sufficient. In other words, this prong of UNFAIR PRACTICE is met even in the absence of a data breach. Practices that “are likely to cause” substantial injury, including inadequate data security measures that have not yet resulted in a breach, qualify.