Financial Services Law Developments: FYI: CFPB's New Data Security Standard Is Not So Standard

Thursday, August 18, 2022

FYI: CFPB's New Data Security Standard Is Not So Standard

Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.

This position is not new, as the CFPB has been pursuing covered entities for lax data security measures for some years.

In 2016 the CFPB brought its first data security enforcement action against Dwolla, a payment processor. What makes this action stand out is that Dwolla did not suffer a data breach nor was it accused of exposing consumer non-public information. Instead, the Bureau claimed the company mispresented to consumers the quality of its encryption and data-security protections.

In addition, the CFPB alleged Dwolla did not have "reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers' personal information." Dwolla was ordered to pay a $100,000 fine and take measures to fix its "security flaws."

In the intervening years, the CFPB has added information and data security to its examination procedures.

THE IMPORTANCE OF THE CIRCULAR

While the CFPB believes lax data security can be an unfair act when providing consumer financial services, the problem for covered entities is that the Bureau does not provide any detail on what are appropriate data security standards. In fact, the CFPB emphasizes that compliance with existing federal data security regulations might not be enough.

Last year, the Federal Trade Commission promulgated amendments to its Safeguards Rule addressing data security for entities subject to the federal Gramm-Leach-Bliley Act. Amendments that impose requirements on a covered entity's data security policies and procedures become effective on Dec. 9. Because the amended rule applies to entities that are also covered by the CFPB, you would expect compliance with the amended Safeguards Rule would satisfy the Bureau. But you would be wrong. The circular points out that the CFPB's expectations concerning data security are "not coextensive" with the Safeguards Rule or "other federal laws governing data security."

The timing of the release of the circular is also important. On July 21, ACA International, the American Financial Services Association, the Consumer Data Industry Association, and the National Automobile Dealers Association wrote the FTC requesting a one-year extension of the effective date of the new requirements. On Aug. 5, the Office of Advocacy of the U.S. Small Business Administration made a similar letter request. But even if the implementation of the new Safeguards Rule standards is delayed for another year, as the CFPB sees it, covered entities are already expected to have sufficient data protection controls in place today.

THREE PRACTICES DESIGNED TO FAIL

Although the circular does not explain what these appropriate controls might be, it does provide examples of practices likely to get covered entities in hot water.

First, not requiring multi-factor authentication or its equivalent "for its employees or offer[ing] multifactor authentication as an option for consumers accessing systems and accounts" may trigger liability.

Second, "not having adequate password management policies" will likely trigger a violation.

Third, the failure to have policies and procedures for updates and patches to "systems, software and code" is likely to trigger liability.

But as often has been the case with the Bureau, understanding which compliance measures will work is often found in its past enforcement actions and the circular devotes significant text to those.

ENFORCEMENT, EXAMINATION, AND INVESTIGATION OF DATA SECURITY

When the CFPB releases a circular like this one, you can expect to see enforcement actions, more rigorous examinations, and investigations centered around the circular's subject matter.

Such was the case following a 2014 release of a circular concerning the Furnisher Rule which applies standards for furnishing to credit reporting agencies and dispute investigations under the Fair Credit Reporting Act.

Following the release of the Furnisher Rule circular, several enforcement actions included allegations that the covered entity violated the rule and noted in its 2017 and 2019 reports that examinations of covered entities revealed non-compliance with the Furnisher Rule. And since data security and privacy are hot news topics, the Bureau will want to capture some of those headlines for itself.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6^th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.