On August 11, the CFPB published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.
Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.
The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, (3) where the substantial injury is not outweighed by countervailing benefits to consumers or competition. The CFPB explained that inadequate data security measures can cause substantial injury, such as significant harm to a few consumers who become the victims of targeted identity theft or harm to potentially millions of consumers in the event of large customer-base-wide data breaches. The agency stressed that actual injury is not required to meet the substantial injury prong, as a significant risk of harm is also sufficient. This means that even practices that are merely likely to cause substantial injury, such as inadequate data security measures that have not yet resulted in a data breach, can still satisfy this prong of unfairness.
With respect to the second prong of unfairness, the CFPB explained that consumers are unable to reasonably avoid the harms caused by a firm’s data security failures as they typically do not know whether appropriate security measures are properly implemented, do not control an entity’s security measures, and lack practical means to reasonably avoid harms resulting from data security failures. As for the final prong, the CFPB noted that where companies forgo reasonable cost-efficient measures to protect consumer data, the agency expects the risk of substantial injury to consumers to outweigh any purported countervailing benefits to consumers or competition.
The circular also highlighted a number of data security-related cases brought by the FTC, wherein the agency alleged violations of its analogous prohibition against unfair practices under the FTC Act in connection with inadequate authentication practices, poor password management, failure to remediate known software security vulnerabilities, and other deficient data security practices.
The CFPB provided the following examples of conduct that increase the risk of triggering liability under the CFPA:
- Not requiring multi-factor authentication for employees or not offering multi-factor authentication as an option for consumers accessing systems and accounts, or failing to implement a reasonably secure equivalent.
- Not having adequate password management policies and practices. This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords, and using default enterprise logins or passwords.
- Not routinely updating systems, software, and code or failing to update them when notified of a critical vulnerability. This includes using versions of software no longer actively maintained by vendors and not keeping track of which systems depend on what software to ensure that software is up to date. The CFPB highlighted its complaint against Equifax over the consumer reporting agency’s 2017 data breach. The CFPB alleged that Equifax violated the CFPA’s prohibition on unfair acts or practices by, among other things, failing to patch a known vulnerability for more than four months, which resulted in hackers gaining access to Equifax’s system and obtaining the personal information of millions of consumers.
The CFPB stressed that the prohibition on unfair practices is fact-specific and that the circular does not suggest that particular security practices are specifically required under the CFPA. Nonetheless, the CFPB is sending clear signals that it intends to use UDAAP to enforce certain standards for data security, notwithstanding that the CFPB has never adopted any substantive rules in this area prescribing particular data security practices. Financial companies and their service providers should review their information security programs and take care to implement common data security measures—such as multi-factor authentication, adequate password management, and timely software updates—to help minimize the risk of an unfairness violation.