Aug 11, 2022 – In Circular 2022-04, the CFPB clarified insufficient data protection or information security can constitute an unfair practice in violation of the Consumer Financial Protection Act.
“Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition.”
The Bureau goes on to note that (a) the standard is not ‘if a practice causes actual harm’ but ‘if a practice is likely to cause harm’ and (b) these determinations are fact-specific. But they will be looking at the use of these three common data security practices:
- Multi-factor authentication
- Monitor for data breaches at other entities where employees might reuse logins and passwords
- Update software in a timely manner to reduce vulnerabilities
To read more, please click the links below: