Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.
This position is not new, as the Bureau has been pursuing covered entities for lax data security measures for some years.
In 2016 the Bureau brought its first data security enforcement action against Dwolla, a payment processor. What makes this action stand out is that Dwolla did not suffer a data breach nor was it accused of exposing consumer non-public information. Instead, the Bureau claimed the company mispresented to consumers the quality of its encryption and data-security protections.
In addition, the Bureau alleged Dwolla did not have “reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers’ personal information.” Dwolla was ordered to pay a $100,000 fine and take measures to fix its “security flaws.”
In the intervening years, the Bureau has added information and data security to its examination procedures.
THE IMPORTANCE OF THE CIRCULAR
While the Bureau believes lax data security can be an unfair act when providing consumer financial services, the problem for covered entities is that the Bureau does not provide any detail on what are appropriate data security standards. In fact, the Bureau emphasizes that compliance with existing federal data security regulations might not be enough.
Last year, the Federal Trade Commission promulgated amendments to its Safeguards Rule addressing data security for entities subject to the federal Gramm-Leach-Bliley Act. Amendments that impose requirements on a covered entity’s data security policies and procedures become effective on Dec. 9. Because the amended rule applies to entities that are also covered by the CFPB, you would expect compliance with the amended Safeguards Rule would satisfy the Bureau. But you would be wrong. The circular points out that the Bureau’s expectations concerning data security are “not coextensive” with the Safeguards Rule or “other federal laws governing data security.”
The timing of the release of the circular is also important. On July 21, ACA International, the American Financial Services Association, the Consumer Data Industry Association, and the National Automobile Dealers Association wrote the FTC requesting a one-year extension of the effective date of the new requirements. On Aug. 5, the Office of Advocacy of the U.S. Small Business Administration made a similar letter request. So even if the implementation of the new Safeguards Rule standards is delayed for another year, as the Bureau sees it, covered entities are already expected to have sufficient data protection controls in place today.
THREE PRACTICES DESIGNED TO FAIL
And while the circular does not explain what these appropriate controls might be, it does provide examples of practices likely to get covered entities in hot water.
First, not requiring multi-factor authentication or its equivalent “for its employees or offer[ing] multifactor authentication as an option for consumers accessing systems and accounts.”
Second, “not having adequate password management policies” will likely trigger a violation.
Finally, the failure to have policies and procedures for updates and patches to “systems, software and code” is likely to trigger liability.
But as often has been the case with the Bureau, understanding which compliance measures will work is often found in its past enforcement actions and the circular devotes significant text to those.
ENFORCEMENT, EXAMINATION, AND INVESTIGATION OF DATA SECURITY
When the Bureau releases a circular like this one, you can expect to see enforcement actions, more rigorous examinations, and investigations centered around the circular’s subject matter.
Such was the case following a 2014 release of a circular concerning the Furnisher Rule which applies standards for furnishing to credit reporting agencies and dispute investigations under the Fair Credit Reporting Act. Following the release of the Furnisher Rule circular, several enforcement actions included allegations that the covered entity violated the rule and noted in its 2017 and 2019 reports that examinations of covered entities revealed non-compliance with the Furnisher Rule. And since data security and privacy are hot news topics, the Bureau will want to capture some of those headlines for itself.
Editor’s Note: This article originally appeared in The Consumer Financial Services Blog (consumerfsblog.com).
Donald Maurice focuses his practice primarily on representing consumer and commercial financial services companies, including financial asset buyers and sellers, depository institutions, third-party debt collectors, and other financial services providers.
He successfully litigates for the financial services industry in state and federal courts. He has provided defense in individual and class action claims brought under the Truth in Lending Act, Equal Credit Opportunity Act, Fair Debt Collection Practices Act, Telephone Consumer Protection Act, Fair Credit Reporting Act and various state consumer protection laws.
In addition, Don counsels clients in data privacy and other regulatory compliance matters and provides advice and counsel to attorneys in matters of professional responsibility and attorney ethics.
He is peer-rated AV Preeminent by Martindale-Hubbell, the worldwide guide to lawyers. A description of the selection methodology can be found at martindale.com. Named by Corporate Counsel magazine in its annual surveys of in-house counsel teams as a “Go-to Law Firm for the Top 500 Companies” and a “Go-to Financial Law Firm.” Corporate Counsel is a publication of American Lawyer Media. No aspect of this advertisement has been approved by the Supreme Court of New Jersey.