August 12, 2022

CFPB: Insufficient data protection or security for sensitive consumer information

Consumer Financial Protection Circular 2022-04

Insufficient data protection or security for sensitive consumer information

Question presented

Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?

Summary answer

Yes. In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B). While these requirements often overlap, they are not coextensive.

Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.

MORE FIDO in the News


GlobeNewswire: NordPass will store passkeys and offer passwordless authentication

LONDON, Jan. 26, 2023 (GLOBE NEWSWIRE) — On Thursday, NordPass, the...

January 27, 2023

Security Boulevard: Are you using a FIDO Certified authenticator?

Multi-factor authentication (MFA) gets touted as a significant security improvement over...


Next Inpact: Passwordless Authentication: BitWarden Acquires Passwordless.dev

Even if the movement will take years, sooner or later...


CSO: How passkeys are changing authentication

Well-implemented passkeys can improve the user experience and make it...

Download Authn Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, http://www.fidoalliance.org. You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.