CFPB Warns That Inadequate Data Security Practices Could Trigger CFPA Liability

  • In its recent Consumer Financial Protection Circular 2022-04 and accompanying press release, the CFPB affirmed the agency’s position that entities can violate the Consumer Financial Protection Act’s (CFPA) prohibition on unfair acts or practices when they fail to impose sufficient data protection or information security practices to protect sensitive consumer information.
  • Specifically, the Circular addressed the application of the CFPA’s proscription on “unfair acts or practices” to inadequate data security for information collected, processed, maintained or stored by a company. Acts or practices are unfair, according to the Circular, “when they cause or are likely to cause substantial injury that is not reasonably avoidable and outweighed by countervailing benefits to consumers or competition.”
  • The CFPB concluded that inadequate data security measures can cause significant harm or a risk of harm to consumers even in the absence of an actual data breach, and can therefore constitute an unfair act or practice under the CFPA. The CFPB noted how consumers cannot avoid the harm of data security failure, as they have no way of knowing whether security measures are properly implemented and lack the practical means to avoid harm. The Bureau added that it is unaware of any examples of instances where poor data security practices would be outweighed by countervailing benefits.
  • The CFPB clarified that an entity specifically failing to implement multi-factor authentication, sufficient password management policies, and timely software updates will typically meet the first two elements of an unfairness claim and possibly trigger liability under the CFPA.