Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.
This position is not new, as the CFPB has been pursuing covered entities for lax data security measures for some years.
In 2016 the CFPB brought its first data security enforcement action against Dwolla, a payment processor. What makes this action stand out is that Dwolla did not suffer a data breach nor was it accused of exposing consumer non-public information. Instead, the Bureau claimed the company mispresented to consumers the quality of its encryption and data-security protections.
In addition, the CFPB alleged Dwolla did not have “reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers’ personal information.” Dwolla was ordered to pay a $100,000 fine and take measures to fix its “security flaws.”
In the intervening years, the CFPB has added information and data security to its examination procedures.
THE IMPORTANCE OF THE CIRCULAR
While the CFPB believes lax data security can be an unfair act when providing consumer financial services, the problem for covered entities is that the Bureau does not provide any detail on what are appropriate data security standards. In fact, the CFPB emphasizes that compliance with existing federal data security regulations might not be enough.
Last year, the Federal Trade Commission promulgated amendments to its Safeguards Rule addressing data security for entities subject to the federal Gramm-Leach-Bliley Act. Amendments that impose requirements on a covered entity’s data security policies and procedures become effective on Dec. 9. Because the amended rule applies to entities that are also covered by the CFPB, you would expect compliance with the amended Safeguards Rule would satisfy the Bureau. But you would be wrong. The circular points out that the CFPB’s expectations concerning data security are “not coextensive” with the Safeguards Rule or “other federal laws governing data security.”
The timing of the release of the circular is also important. On July 21, ACA International, the American Financial Services Association, the Consumer Data Industry Association, and the National Automobile Dealers Association wrote the FTC requesting a one-year extension of the effective date of the new requirements. On Aug. 5, the Office of Advocacy of the U.S. Small Business Administration made a similar letter request. But even if the implementation of the new Safeguards Rule standards is delayed for another year, as the CFPB sees it, covered entities are already expected to have sufficient data protection controls in place today.
THREE PRACTICES DESIGNED TO FAIL
While the circular does not explain what these appropriate controls might be, it does provide examples of practices likely to get covered entities in hot water.
First, not requiring multi-factor authentication or its equivalent “for its employees or offer[ing] multifactor authentication as an option for consumers accessing systems and accounts” may trigger liability.
Second, “not having adequate password management policies” will likely trigger a violation.
Third, the failure to have policies and procedures for updates and patches to “systems, software and code” is likely to trigger liability.
But as often has been the case with the Bureau, understanding which compliance measures will work is often found in its past enforcement actions and the circular devotes significant text to those.
ENFORCEMENT, EXAMINATION, AND INVESTIGATION OF DATA SECURITY
When the CFPB releases a circular like this one, you can expect to see enforcement actions, more rigorous examinations, and investigations centered around the circular’s subject matter.
Such was the case following a 2014 release of a circular concerning the Furnisher Rule which applies standards for furnishing to credit reporting agencies and dispute investigations under the Fair Credit Reporting Act. Following the release of the Furnisher Rule circular, several enforcement actions included allegations that the covered entity violated the rule and noted in its 2017 and 2019 reports that examinations of covered entities revealed non-compliance with the Furnisher Rule. And since data security and privacy are hot news topics, the Bureau will want to capture some of those headlines for itself.
WEBINAR TO EXAMINE THE CFPB’S DATA SECURITY CIRCULAR
I’ll take a closer look at the CFPB’s efforts in data security on Aug. 26 at 9 am PT / Noon ET in a webinar, “The CFPB’s Recent Statement on Data Security Signals New Compliance Concerns.” Click here to register. The webinar is made available by the Receivables Management Association International and is free to members and otherwise available for a fee.