The Consumer Financial Protection Bureau (CFPB) is jumping on board with the FTC and state attorney general precedent to regulate data privacy and security matters using its authority to police unfair and deceptive practices in the consumer finance arena. The announcement cites prior FTC and other enforcement actions that employed a similar theory. The statement goes so far as to say that even without a data breach, a financial firm could commit unfair practices if its security is lacking, because lax security puts consumer financial information at risk. The CFPB explicitly recommends use of password management, multi-factor authentication, and "timely" software updates as part of any security scheme.
WHY IT MATTERS
The US has no national privacy or data security law (except in limited areas such as healthcare). As state legislatures pass new state privacy laws, the country's federal agencies are trying to fill a perceived gap at the federal level by using their authority to prohibit unfair and deceptive trade practices nationally. These laws, because they do not explicitly concern cyber and privacy matters, may pose more difficult compliance questions. In this case, however, the CFPB has given three explicit measures as a baseline for adequate protection of consumer financial data. Any business that could be subject to the CFPB would do well to adopt these immediately and document the fact that they have done so as a best practice recommended by the agency.