- Financial companies could violate the Consumer Financial Protection Act (CFPA) if they fail to adequately safeguard consumers’ data, according to a circular released Thursday by the Consumer Financial Protection Bureau (CFPB).
- In the circular, the CFPB provided examples of practices — such as multifactor authentication, password management and timely software updates — that financial firms should embrace to lower the risk of violating the federal consumer financial protection law.
- The move comes as the agency is “increasing its focus on potential misuse and abuse of personal financial data,” it said.
"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," CFPB Director Rohit Chopra said in a statement. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common-sense steps to protect personal financial data."
The failure to implement the data security measures highlighted in the circular might increase the risk that a firm’s conduct triggers liability under the CFPA, the bureau said.
“Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition,” the agency said. “Inadequate data security can be an unfair practice in the absence of a breach or intrusion.”
The agency, however, said the circular does not suggest multifactor authentication, password management or software updates are specifically required under the CFPA.
The CFPB cited the 2017 Equifax breach, which affected the “sensitive personal data of hundreds of millions of Americans,” as an example of a high-profile data security incident that violated the CFPA and other laws.
The agency in 2019 charged Equifax with violating the CFPA.
“Equifax’s 2017 failure to patch a known vulnerability resulted in hackers gaining access to Equifax’s systems that exposed the personal information of nearly 148 million consumers,” the CFPB said.