By: Ken Chase.
In a new circular published this week, the Consumer Financial Protection Bureau outlined financial companies’ responsibility to protect their customers’ personal and financial data. In a move that analysts viewed as a potential crackdown on financial firms, the CFPB noted that failure to adequately safeguard consumer data could place banks in violation of the Consumer Financial Protection Act.
The circular was created to answer questions concerning financial entities’ possible violation of that Act due to a failure to provide adequate information security and data protection. The bureau’s response and analysis left no doubt about the CFPB’s position on that issue: when the regulatory bureau finds that an institution has neglected to implement any of three basic security controls, that institution is likely to face punitive action.
Those three security controls include basic considerations recognized as the bare minimum in data safeguards: multifactor authentication to verify identities, password management, and regular timely updates to software systems.
Multifactor authentication, or MFA, is becoming a priority for regulators concerned about data protection. The CFPB clearly expressed its belief that this security measure can help to reduce unauthorized access to customers’ accounts and personal data.
Proper password management can help to eliminate one of the most common access points for data breaches. According to the CFPB, an organization’s failure to maintain adequate password management practices and systems would likely trigger a liability finding in the event that customer data security was negatively impacted.
The CFPB’s position on software updates was equally straightforward. In its view, companies that fail to install regularly issued security patches could be liable for any resulting vulnerabilities that leave customer data unprotected from hackers and other bad actors. As a result, companies have an obligation to quickly install updates and patches as they are released, while also replacing any software systems that are no longer receiving vendor support and maintenance.
As the CFPB notes in its circular, “In certain circumstances, failure to comply with these specific requirements may also violate the CFPA’s prohibition on unfair acts or practices. The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.”