CFPB Circular States Inadequate Data Security Practices May Violate the CFPA

The CFPB recently published Circular 2022-04 (the Circular) stating that failure to provide adequate security for consumer information may constitute an unfair practice under the CFPA, even in the absence of a breach or other intrusion.

The Circular states that the CFPA’s prohibition against unfair acts and practices may be violated if a “covered entity” fails to comply with FTC and federal banking agency guidelines implementing GLBA, as well as when “companies forego reasonable cost-efficient measures to protect consumer data.”  An unfair act or practice is defined, in relevant part, as an act or practice that causes or is likely to cause substantial injury to consumers.  The CFPB considers an injury to be substantial if it causes significant harm, or risk of harm, to a few consumers or a small amount of harm, or risk of harm, to many consumers.  Because the risk of harm may still be considered a substantial injury, data security measures that are inadequate and increase the likelihood of a substantial injury to consumers are considered unfair acts or practices under the CFPA.

Further, the Circular indicates that the failure to implement the following common data security practices significantly increases the likelihood that the CFPA prohibition against unfair acts and practice will be violated: multi-factor authentication, password management, and timely software updates.