It's Not Just GLBA Any More

On August 11, 2022, the Consumer Financial Protection Bureau released Consumer Financial Protection Circular 2022 – 04 titled “Insufficient Data Protection or Security for Sensitive Consumer Information”. The circular was published in the Federal Register on September 6, 2022, and answers the presented question “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”

Unsurprisingly, the answer is “yes”. As stated in the circular, “In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA.” Hmmmmm … that’s you, dear reader. The CFPA defines an unfair act or practice as one that causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable by the consumer, and is not outweighed by countervailing benefits to the consumer or competition.

You may be thinking “yeah, but what’s ‘substantial injury’? Surely, none of my organization’s practices would ever rise to meeting that level?” Well guess what? If your organization is deemed to have inadequate data security measures, your customers can indeed sustain ‘substantial injury’ as it is defined in the CFPA. A practice which causes substantial injury to consumers occurs when significant harm occurs to a few consumers or a small amount of harm to many consumers. The circular goes on to state that actual injury is not required in every case to substantiate that the practice was unfair and resulted in injury. In other words, if a practice is “likely to cause” a substantial injury, including inadequate data security measures that have not yet resulted in a breach, this lack of action can be deemed unfair under the CFPA, especially if the consumer cannot reasonably avoid the harms caused by a firm’s data security failures.

But wait there is hope...The circular describes actions you can take and practices your organization can implement to lessen the likelihood of having liability under the CFPA. Specifically, the circular points out the following three actions that should be part of your organization’s routine data security program and have the added benefit of enhancing your organization’s efforts to comply with CFPA standards:

Now those actions aren’t rocket science or anything new, but it’s probably a good idea to just take some time to revisit what your organization is doing to ensure all three are in place and routinely validated. Any actions you take now can prevent potential regulatory scrutiny and lessen liability under both GLBA and CFPA.

For more information on the Consumer Financial Protection Circular, see this link:
https://files.consumerfinance.gov/f/documents/cfpb_2022-04_circular_2022-08.pdf

Authored by: Joann Lang, CIA, CAMS, CCBP