Consumer Financial Protection Circular 2022-04

Insufficient data protection or security for sensitive consumer information

Question presented

Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?

Summary answer

Yes. In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B). While these requirements often overlap, they are not coextensive.

Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.


More

Wired: Google is rolling out password-killing tech to all accounts

Google’s announcement of its passkey rollout comes on the eve of World Password Day on…

Read More →

PC Mag: Misinformation, MFA Doubts, and AI: Everything We Saw at RSAC 2023

The RSA Conference further proved that passwords are a problem. The solution, we’re told, lies in…

Read More →

CIO Review: Nok Nok Partners With Carahsoft to Provide Phishing-Resistant MFA Solutions to Federal, State and Local Government Agencies

Nok Nok, a leader in passwordless authentication for the world’s largest organizations, today announced a…

Read More →


Subscribe to the FIDO newsletter

Stay Connected, Stay Engaged

Receive the latest news, events, research and implementation guidance from the FIDO Alliance. Learn about digital identity and fast, phishing-resistant authentication with passkeys.