The CFPB recently published a circular clarify liability under consumer financial protection law for financial companies that fail to protect consumer data. The circular outlines how companies can violate the CFPA’s prohibition on unfair acts or practices with respect to the processing of consumer data by failing to implement adequate measures to protect against data security incidents. According to the CFPB. in the event of large-scale breaches affecting the entire customer base, consumers can be victims of targeted identity theft.
The CFPB outlines several data security measures and practices that, if not implemented, can increase or trigger liability:
- Multi-factor authentication that reduces the possibility of compromised user accounts and unauthorized access to sensitive customer information.
- Proper password management to monitor breaches where employees or others can reuse usernames and passwords.
- Timely software updates to address known vulnerabilities once a software vendor or creator releases a patch or announces an update.
Put into practice : The circular’s measures are not new to banks and other financial institutions subject to the Gramm-Leach-Bliley Act. For companies under the authority of the CFPB, in particular, it should be noted that the agency continues to use its enforcement power to set new standards for financial companies – this time for insufficient data protection or information security (our sister blog discussed a similar trend in previous blog posts here and here). To help minimize the risk of an unfair breach, financial firms and their vendors should ensure that they implement and regularly test robust security measures.