CFPB Asserts New Authority Over Data Security Practices

• Published date: 22 August 2022
• Subject Matter: Finance and Banking, Consumer Protection, Privacy, Technology, Financial Services, Data Protection, Consumer Law, Privacy Protection, Security
• Law Firm: Cooley LLP
• Author: Mr James E. Dionne, Adam Fleisher and Obrea Poindexter

On August 11, 2022, the Consumer Financial Protection Bureau published a Consumer Financial Protection Circular taking the position that providing "[i]nadequate security for the sensitive consumer information collected, processed, maintained, or stored by ... [a] company can constitute an unfair practice" under the Consumer Financial Protection Act (CFPA).¹ Because insufficient data security is likely to cause substantial injury to consumers that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition,² the CFPB considers this to be an unfair practice - even in the absence of a data breach.

CFPB asserts expanded authority for information security

Financial institutions that provide services to consumers are subject to the requirements of the Gramm-Leach-Bliley Act (GLBA). The GLBA requires covered financial institutions and service providers to maintain an information security program with several specific requirements, such as imposing limitations on who can access customer information, requiring the use of encryption to secure information, and requiring the designation of a single qualified individual to oversee an institution's information security program (the Safeguards Rule). The GLBA's Safeguards Rule is implemented by the Federal Trade Commission (FTC).³ In the August 11 circular, the CFPB asserts that information security programs are also subject to CFPB oversight, as maintaining adequate consumer data protections would be required to comply with the CFPA's prohibition on unfair, deceptive, or abusive acts or practices (UDAAP). An unfair act or practice is one that:

1. Causes or is likely to cause substantial injury to consumers.
2. Is not reasonably avoidable by consumers.
3. Is not outweighed by countervailing benefits to consumers or competition.⁴

The CFPB enumerates several instances where inadequate data security practices are likely to cause substantial injury to consumers, including through data breaches, cyberattacks, exploits, ransomware attacks and other exposure of consumer data.⁵ Such harms are not reasonably avoidable to consumers, as information security programs are controlled or implemented by the financial institution, and the consumer has little say over these programs. The CFPB also notes that in conducting the balancing test required by the third UDAAP prong, it "expects" that the risk of substantial injury to consumers will outweigh any benefits to consumers or competition through cost...