CFPB to Crack Down on Financial Firms’ Protection of Consumer Data
Last week, the Consumer Financial Protection Bureau (CFPB) published a circular outlining the responsibilities financial firms have to protect consumer data, noting that failure to do so could violate the Consumer Financial Protection Act. The Bureau specified that acts and practices are unfair when they’re likely to cause a lot of harm, and when the company wouldn’t put itself at a competitive disadvantage to prevent that harm.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud and abuse,” said CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common sense steps to protect personal financial data.”
The CFPB listed password management, multifactor authentication, and prompt software updates as methods to prevent harm pertaining to consumers’ personal data. It also noted that a financial company doesn’t have to experience a data breach for its protection of consumer data to be considered insufficient.
Practices like inadequate data security measures may violate the Consumer Financial Protection Act, since they could cause substantial injury to consumers. The CFPB cited the 2017 Equifax breach in which millions of consumers’ data was hacked and Equifax was charged in 2019 for violating the law.
“While the prohibition on unfair practices is fact-specific, the experience of the agencies suggests that failure to implement common data security practices will significantly increase the likelihood that a firm may be violating the prohibition,” said the CFPB.