CFPB Takes Action to Protect the Public from Shoddy Data Security Practices

WASHINGTON, D.C. – The Consumer Financial Protection Bureau (CFPB) confirmed in a circular published today that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.

"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," said CFPB Director Rohit Chopra. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data."

The CFPB is increasing its focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.

Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security.

Today’s circular also provides examples of widely implemented data security practices. The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act, including:

• Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.
• Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.
• Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.

Read today’s Consumer Financial Protection Circular on data security.

Consumers can submit complaints about financial issues that come up from data breaches by visiting the CFPB’s website or by calling (855) 411-CFPB (2372).

Employees who believe their companies have violated federal consumer financial protection laws are encouraged to send information about what they know to whistleblower@cfpb.gov.