This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Lack of Cyber Security Controls for Financial Firms May Be an Unfair Business Practice

The Consumer Financial Protection Bureau (CFPB) is jumping on board with the FTC and state attorney general precedent to regulate data privacy and security matters using its authority to police unfair and deceptive practices in the consumer finance arena.  The announcement cites prior FTC and other enforcement actions that employed a similar theory.  The statement goes so far as to say that even without a data breach, a financial firm could commit unfair practices if its security is lacking, because lax security puts consumer financial information at risk.  The CFPB explicitly recommends use of password management, multi-factor authentication, and "timely" software updates as part of any security scheme.

WHY IT MATTERS

The US has no national privacy or data security law (except in limited areas such as healthcare).  As state legislatures pass new state privacy laws, the country's federal agencies are trying to fill a perceived gap at the federal level by using their authority to prohibit unfair and deceptive trade practices nationally.  These laws, because they do not explicitly concern cyber and privacy matters, may pose more difficult compliance questions.  In this case, however, the CFPB has given three explicit measures as a baseline for adequate protection of consumer financial data.  Any business that could be subject to the CFPB would do well to adopt these immediately and document the fact that they have done so as a best practice recommended by the agency.  

In a newly released circular, the CFPB said that the failure of a bank or nonbank financial firm to adequately safeguard its customers' personal data can meet the criteria for unfairness under the Consumer Financial Protection Act, which prohibits unfair, deceptive and abusive acts or practices.

Tags

data security and privacy, hill_mitzi, insights, privacy, data security