Financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data, and they may be held liable for putting those data at risk, according to a circular published by the consumer financial protection agency Thursday.
The Consumer Financial Protection Bureau (CFPB) said the circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.
“The CFPB is increasing its focus on potential misuse and abuse of personal financial data,” the agency said in a release. “As part of this effort, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.”
The bureau said the circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act (CFPA). However, the agency said, it does offer some examples where failure to implement certain security measures might increase the risk that a firm’s conduct triggers liability under the act. Those measures include multi-factor authentication, adequate password management, and timely software updates.