CFPB: Financial Firms Liable for Data Leaks

Credit scorers, lenders and other financial firms that collect personal data have a duty to keep it safe – and a liability if they don’t – the U.S. consumer bureau says.

WASHINGTON, D.C. – The Consumer Financial Protection Bureau (CFPB) confirmed in a circular that financial companies may violate federal consumer financial protection law if they fail to safeguard consumer data.

Americans applying for a mortgage or relying on their credit scores assume that the companies holding data such as Social Security numbers, yearly earnings and total debts go out of their way to keep that data safe from scammers and other crooks. Many do, but CFPB says it will step up enforcement against those companies that do not.

Past data security incidents, including the 2017 Equifax data breach, allowed outsiders to harvest the personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. CFPB charged Equifax in 2019, for example, with violating the Consumer Financial Protection Act to address misconduct related to data security.

The circular outlines the conditions where a company could be held liable and includes examples.

“While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data,” says CFPB Director Rohit Chopra.

The CFPB says it’s increasing its focus on potential misuse, and the new circular lists processes it will look at, even though the Consumer Financial Protection Act doesn’t specifically create mandatory processes that help firms avoid liability.

CFPB’s list of possible security failures

  • Multi-factor authentication: Multi-factor authentication makes it harder for criminals to gain access to data. It can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.
  • Adequate password management: Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. Firms still using passwords, password management policies and practices should find a way to monitor breaches at other entities where employees may be re-using logins and passwords.
  • Timely software updates: Software vendors, including open-source software libraries and projects, often send out patches and updates that address emerging threats. However, criminals also receive these updates and are essentially given instructions on how to hack into secure data within any company that has not yet updated its security software. CPFB will look for protocols to immediately update software and address vulnerabilities once they become publicly known.

© 2022 Florida Realtors®