The agency created in 2010 to protect people from predatory lenders, the Consumer Financial Protection Bureau, says in a policy circular it released last week that it has the authority to go after companies whose lax data management could put consumer finances at risk.
“Inadequate security for … sensitive consumer information collected, processed, maintained, or stored … can constitute an unfair practice in violation of [the Consumer Financial Protection Act],” the agency says in Circular 2022-04.
A company doesn't have to have a breach to be hit with an enforcement action, the agency says, because a practice can be considered unfair if there’s a likelihood it can lead to consumer harm, even if the company claims to offset its weak practices by offering a greater good to consumers.
“The risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition,” the circular says.
CFPB went after Equifax in 2019 after hackers grabbed information on 140 million people by exploiting a software vulnerability that the credit reporting company knew about but didn’t take action on until it was too late.
“Equifax violated the prohibition on unfairness,” the agency says, “by using software that contained a known vulnerability.”
There’s overlap between CFPB’s authority to enforce against unfair practices and the Federal Trade Commission’s authority under its safeguards rule, authority the FTC has used to go after companies for poor data hygiene.
The CFPB points to these FTC actions in its analysis justifying its enforcement authority.
Among other companies the FTC has gone after are online check processor Qchex, which in 2006 made payments to account holders without verifying their identity, and companies involved in data management on behalf of Wyndham Hotels, which in 2012 was hit with breaches that compromised half a million account holders.
To reduce chances of getting hit with an enforcement action, the CFPB recommends companies use multi-factor authentication, employ the latest best practices in password management and be rigorous in patching and updating software – all steps companies with good data hygiene are already doing.
“The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act,” the agency says. But failure to follow these best practices “might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act.”