CFPB warns firms on poor cyber hygiene
The agency says that bad password and data management and other practices can expose companies to legal consequences.
Companies that fail to take basic steps to secure customer data and maintain a basic level of cybersecurity hygiene for user accounts could fall afoul of a host of regulators, according to a Consumer Finance Protection Bureau circular set to be published Tuesday in the Federal Register.
The circular warns that the Consumer Financial Protection Act's ban on "unfair acts or practices" could cover poor data stewardship that is "likely" to lead to a breach or other harms.
"Where companies forgo reasonable cost-efficient measures to protect consumer data … the Consumer Financial Protection Bureau (CFPB) expects the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition," the circular states.
Companies that don't require multifactor authentication for employees to access customer data or don't offer users additional layers of security beyond username/password could be liable under the statute. Additionally, the circular states that failure to install timely updates to commercial software could expose companies to liability.
"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," said CFPB Director Rohit Chopra. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data."
The agency cited the Equifax breach, which compromised personal information on more than 147 million people and led to an agency lawsuit that involved the company’s outdated technological infrastructure that relied on software components with known vulnerabilities.
CFPB circulars are intended to harmonize enforcement practices across the spectrum of agencies with financial regulation authority, including the Federal Deposit Insurance Corporation, the Office of the National Comptroller of the Currency, the Federal Reserve System and others. The document was first published on the CFPB website in mid-August.