The Consumer Financial Protection Bureau unequivocally announced yesterday that companies with “insufficient data protection or information security” are violating federal law while providing examples of “widely implemented data security practices” that companies can use as a guide to avoid such an accusation.
Consumers have no control over how companies in the financial services industry safeguard their personal information yet run the risk of having their identities stolen if that information is compromised or obtained because the company did not have adequate protections in place, the CFPB noted. It cited a lawsuit filed against Equifax in 2019 for allegedly failing to secure the personal information of individuals, allowing hackers to steal the information of more than 140 million consumers as an example of what could happen.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra, in a statement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
The “widely implemented” practices mentioned by the CFPB were cited as examples where the failure to implement them increased the risk that a company’s conduct would trigger liability under the Consumer Financial Protection Act. Those practices are:
- Multi-factor authentication, which can protect against credential phishing
- Adequate password management as a way of keeping employees from re-using logins and passwords
- Timely software updates that address vulnerabilities
Even if a consumers’ information is not stolen or used to facilitate identity theft, companies may still be in hot water. Companies may be found to be operating unfairly if they are engaging in practices that “are likely to cause” substantial injury, which includes not implementing adequate security measures.