CFPB Warns That Inadequate Data Security Practices Could Trigger CFPA Liability

Cozen O'Connor

Cozen O'Connor

  • In its recent Consumer Financial Protection Circular 2022-04 and accompanying press release, the CFPB affirmed the agency’s position that entities can violate the Consumer Financial Protection Act’s (CFPA) prohibition on unfair acts or practices when they fail to impose sufficient data protection or information security practices to protect sensitive consumer information.
  • Specifically, the Circular addressed the application of the CFPA’s proscription on “unfair acts or practices” to inadequate data security for information collected, processed, maintained or stored by a company. Acts or practices are unfair, according to the Circular, “when they cause or are likely to cause substantial injury that is not reasonably avoidable and outweighed by countervailing benefits to consumers or competition.”
  • The CFPB concluded that inadequate data security measures can cause significant harm or a risk of harm to consumers even in the absence of an actual data breach, and can therefore constitute an unfair act or practice under the CFPA. The CFPB noted how consumers cannot avoid the harm of data security failure, as they have no way of knowing whether security measures are properly implemented and lack the practical means to avoid harm. The Bureau added that it is unaware of any examples of instances where poor data security practices would be outweighed by countervailing benefits.
  • The CFPB clarified that an entity specifically failing to implement multi-factor authentication, sufficient password management policies, and timely software updates will typically meet the first two elements of an unfairness claim and possibly trigger liability under the CFPA.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:

Cozen O'Connor

Cozen O'Connor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.