MVA White Collar Defense, Investigations, and Regulatory Advice Blog

On August 11, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a circular (Circular 2022-04 or, the “Circular”) addressing whether insufficient data and information security practices can violate the prohibition against unfair acts or practices in the Consumer Financial Protection Act (“CFPA”). The CFPB concluded that inadequate security practices could give rise to a claim not only under federal data security laws like the Gramm-Leach-Bliley Act (“GLBA”), but also under the CFPA as well. The Circular discusses the elements of a claim under the CFPA and identifies a few specific practices that the CFPB identified as likely giving rise to a violation of the CFPA. The Circular, however, does not otherwise provide direction to the industry on expected information security practices.

The Circular states that while requirements for information security practices under the CFPA may often overlap with the requirements under GLBA and its implementing regulations by the Federal Trade Commission (“FTC”) and Federal banking regulators, the requirements of the GLBA and CFPA are not wholly identical.  Under the CFPA, an act or practice is unfair when:

1. it causes, or is likely to cause, substantial injury to consumers;
2. the injury is not reasonably avoidable by consumers; and
3. the injury is not outweighed by countervailing benefits to consumers or competition.

The “substantial injury” requirement considers both individual and aggregate impacts to customers. For instance, substantial injury could result either from a small amount of harm to many customers or from significant harm to only a few. In addition, actual injury is not required to meet the substantial injury prong. Instead, a “significant risk” of substantial injury to consumers is also sufficient to meet this requirement. With respect to the second element of a claim, the Circular notes that in most instances customers will not understand or have an ability to control the security measures of a company in a way that would allow them a practical means or opportunity of avoiding injury. Regarding the final element of a claim under the CFPA, the CFPB stated that it was unaware of any case where a court has found that a substantial injury to consumers was outweighed by benefits to consumers or to competition.  

After reviewing the underlying facts associated with several prior regulatory actions addressing inadequate data security measures, including a 2019 CFPB and FTC settlement with Equifax and several FTC actions, the CFPB identified the following practices as likely triggering liability under the CFPA:

• The failure of the company to offer multi-factor authentication to its consumers as an option for systems and account access;
• The failure of the company to have adequate password management policies and practices, including a failure to monitor for breaches at other entities where employees may be re-using logins and passwords; and
• The failure to update and patch systems, software, and code routinely and when critical vulnerabilities are announced, to have inventories of software system dependencies, and to discontinue use of software versions that are no longer actively maintained by the vendor.

Like the Equifax settlement, the Circular serves as a clear reminder to financial companies and their service providers that the requirements of the CFPA, rather than only those of the GLBA, may also serve as a source of liability for inadequate data security practices. The actual data security requirements of the CFPA, though, are unclear. The Circular notes that while the requirements of the GLBA and CFPA may “often overlap, they are not coextensive.” The Circular, however, does not otherwise provide insight into these non-overlapping requirements. In a statement that accompanied release of the Circular, the CFPB indicated that the Circular is not intended to suggest any specific security practices are required by the CFPA, although it does cite the three areas highlighted above as practices that heighten the likelihood of liability under the CFPA. No more detail is provided, other than a statement that failure to implement “common” data security practices increases the risk of a violation. As a result, companies should evaluate whether their information security practices address, at a minimum, those three areas specifically referenced in the Circular. It remains to be seen how extensively and frequently the CFPB will seek to use its enforcement powers to identify new common information security practices for the industry.