August 11, 2022

CFPB: Agency Takes Action to Protect the Public from Unsafe Data Security Practices

Financial companies may be held liable for unfairly putting customers’ data at risk

The Consumer Financial Protection Bureau (CFPB) confirmed in a circular published today that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”

The CFPB is increasing its focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.

Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security.

Today’s circular also provides examples of widely implemented data security practices. The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act, including:

Read today’s Consumer Financial Protection Circular on data security.

Consumers can submit complaints about financial issues that come up from data breaches by visiting the CFPB’s website or by calling (855) 411-CFPB (2372).

Employees who believe their companies have violated federal consumer financial protection laws are encouraged to send information about what they know to whistleblower@cfpb.gov.

This post was originally published here.