On August 11, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a circular (Circular 2022-04 or, the “Circular”) addressing whether insufficient data and information security practices can violate the prohibition against unfair acts or practices in the Consumer Financial Protection Act (“CFPA”). The CFPB concluded that inadequate security practices could give rise to a claim not only under federal data security laws like the Gramm-Leach-Bliley Act (“GLBA”), but also under the CFPA as well. The Circular discusses the elements of a claim under the CFPA and identifies a few specific practices that the CFPB identified as likely giving rise to a violation of the CFPA. The Circular, however, does not otherwise provide direction to the industry on expected information security practices.