CFPB Takes on Failure to Adopt "Common Data Security Practices"
A reminder to financial services firms: the Consumer Financial Protection Bureau (CFPB) is also a data security regulator.
The CFPB recently issued Consumer Financial Protection Circular 2022-04, which warned that data security shortcomings could subject financial services firms to unfairness claims under the Consumer Financial Protection Act (CFPA)—even if those firms comply with the Gramm-Leach-Bliley (GLBA) Safeguards Rule, the primary data security regulation for non-bank financial institutions.
According to the August 11, 2022, circular, the requirements of the GLBA Safeguards Rule (and other federal data security requirements) "often overlap" with the data security obligations under the CFPA but "are not coextensive." The CFPB issued its circular on the same day that the Federal Trade Commission (FTC)—the federal agency responsible for developing and enforcing the GLBA Safeguards Rule—published its advance notice of proposed rulemaking (ANPR) on commercial surveillance and data security. (We discussed the advance notice of proposed rulemaking in a blog post when it was first published.)
The CFPA's prohibition on unfair acts and practices requires firms to assess the likely injury to consumers caused by that act or practice. If an act or practice is likely to cause substantial injury that is not reasonably avoidable by consumers, the act or practice may be considered unfair in violation of the CFPA—unless the firm can show that such injury is outweighed by the benefits to consumers or competition.
In theory, the balance of harm and benefits could give a firm considerable flexibility in designing its data security program. For example, a firm might decide that consumers do not need to use multifactor authentication (MFA) to access their accounts because the benefits of a simpler login process outweigh the potential harms of unauthorized access. But be warned: The circular clarifies that the CFPB may take a very different position in practice. The circular states that where a company forgoes "reasonable cost-efficient" data security measures (as described below), the CFPB "expects the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition."
In other words, although the prohibition on unfair practices is fact-specific, the CFPB may take the view that failure to adopt common security measures will significantly increase the likelihood of liability under the CFPA. The circular identifies three such security measures:
- Requiring MFA for employees and offering it for customers in the absence of a reasonably secure equivalent;
- Adopting password management policies and practices, including processes to prevent employees from re-using passwords compromised in breaches at other companies; and
- Timely and routine software updates and patching or taking other mitigating steps if patching is not possible (the FTC has also stressed the importance of timely software updates, as we discussed in a prior post).
Notably, the circular states that a covered firm may commit unfair data security acts or practices even in the absence of any security incident or breach. Under the CFPA, an act or practice may be unfair where it is likely to cause substantial injury, even if it does not actually do so.
As discussed in more detail below, firms covered by the CFPA should consider various ways to incorporate the circular's guidance into their information security programs, including through risk and maturity assessments.
Legal Framework
The CFPA, which created the CFPB, was enacted as Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) of 2010. Dodd-Frank created new authorities for the CFPB, including to prohibit unfair, deceptive, or abusive acts or practices (UDAAPs) in connection with the provision or offering of consumer financial products or services. Dodd-Frank also transferred numerous existing authorities from other agencies to the CFPB. Among those transferred authorities was a significant portion of the FTC's rulemaking and enforcement authority for GLBA, including GLBA's privacy disclosure rules, as they pertain to many consumer financial products or services firms.
However, Dodd-Frank explicitly reserved the FTC's rulemaking and enforcement authority related to the GLBA Safeguards Rule. As a result of this division, the data security practices of many consumer financial products or services firms are regulated by both the CFPB under its CFPA UDAAP authority and by the FTC under the GLBA Safeguards Rule. The FTC also retained its authority to bring actions under Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits "unfair or deceptive acts or practices," against non-bank financial institutions and its authorities under various other statutes that touch on consumer finance. However, the CFPB has broader authority than the FTC to impose substantial civil money penalties for violations of the CFPA's prohibition against unfair acts and practices.
Under the CFPA, 12 U.S.C. § 5531(c), an act or practice is unfair if it: (1) causes or is likely to cause substantial injury to consumers, (2) is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition. As noted in the CFPB's circular, this definition is very similar to the concept of unfair practices under Section 5 of the FTC Act as developed through FTC enforcement actions. In delineating how the CFPA's unfairness prohibition may apply to data security practices, the CFPB's circular cites several cases brought by the FTC under Section 5's unfairness prong. The circular also references enforcement actions brought by both the CFPB under its unfairness authority and by the FTC under both Section 5 and the GLBA Safeguards Rule.
Steps for Addressing the Circular
Consumer financial products and services firms covered by the CFPA are advised to consider the following:
- Conduct a risk assessment (a requirement under the GLBA Safeguards Rule and other laws) that incorporates the CFPA's unfairness guidance. For example, when assessing whether the company should adopt additional security safeguards, assess the potential consumer harms those safeguards could mitigate and the consumer benefits of your current status. Assessing these factors as part of your standard risk assessment process will help you analyze prospective unfairness liability under the CFPA.
- Perform a gap assessment against the GLBA Safeguards Rule and other applicable laws. The CFPB's circular states that compliance with the GLBA Safeguards Rule is not a safe harbor against liability under the CFPA. Even so, it is apparent that compliance with the former will go a long way toward avoiding liability under the latter. The GLBA Safeguards Rule includes numerous specific requirements, from administrative requirements to appoint a head of your information security program and to conduct documented risk assessments, to technical requirements on adopting encryption, access controls, and MFA.
We discussed the requirements of the GLBA Safeguards Rule, which was overhauled in December 2021, in prior blog post and webinar. Even if the GLBA Safeguards Rule does not apply to you, its requirements can serve as helpful baseline for compliance with the CFPA. Additionally, if you are covered by other data security rules, such as the New York Department of Financial Services Cybersecurity Regulation, be sure to conduct a gap assessment against those rules as well.
- Perform a maturity assessment using a cybersecurity framework. As stated above, the CFPB's circular warns that firms may commit unfair acts or practices where they forego "reasonable cost-efficient" security measures. The circular also states that failure to implement "common" security measures "will significantly increase" the likelihood that the company will be found to have engaged in an unfair act or practice. These statements raise a question: what security measures are considered "reasonable," "cost efficient," and "common"? Conducting a maturity assessment against security frameworks such as ISO 27001, the NIST Cybersecurity Framework, or the Center for Internet Security (CIS) Controls can help answer this question.
To be clear, many provisions of these frameworks will not be applicable to or reasonable for every firm, and firms should not assume that their security is deficient simply because they do not meet every requirement of one of these frameworks. But these frameworks can serve as effective baselines for your company's risk assessment. For example, where a firm elects not to adopt certain provisions of a framework, it can use its risk assessment process to explain why adoption of that provision is not appropriate given considerations of security risks, consumer experience, and other factors.
But be aware the CFPB stated that it "is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely to have been caused by a company's poor data security practices was outweighed by countervailing benefits to consumers or competition." The NIST Cybersecurity Framework and CIS Controls may be particularly useful for this kind of benchmarking exercise, as both incorporate various maturity levels designed to apply to organizations of different sizes and complexities.
- Consider your status as a service provider under the CFPA. If your firm is a service provider to companies covered by the GLBA Safeguards Rule or the CFPA, it is important to consider a key difference in who is covered by the two laws. While the GLBA Safeguards Rule does not directly apply to service providers (although service providers to covered "financial institutions" might themselves be considered financial institutions based on the work they perform, such as in the FTC's enforcement action against LightYear Dealer Technologies), the CFPA does. The CFPA specifically prohibits service providers of covered firms from engaging in unfair acts and practices (among others prohibited by the CFPA), and the CFPB can bring enforcement actions against those service providers. The CFPB may use this additional reach of the CFPA to bring data security-related actions against service providers who are not covered by the GLBA Safeguards Rule (as noted below however, firms not covered by the GLBA Safeguards Rule may still be subject Section 5 of the FTC Act).
Looking Ahead
As noted above, the CFPB issued its circular on the same day that the FTC published its ANPR on commercial surveillance and data security. The timing of these two publications may indicate that the FTC and CFPB intend to coordinate on data security rulemaking and enforcement, and that the CFPB wants to remind companies of its role as a data security regulator alongside the FTC.
It is likely that the CFPB will bring significant enforcement actions for alleged data security failures under its unfairness authority—particularly where companies have failed to adopt the "reasonable, cost-efficient" safeguards referenced in the circular: MFA, password management, and timely software updates and patching. The DWT team will continue to monitor both the FTC’s and CFPB's activities in the data security space.