05 October 2022
Goodwin Procter LLP
To print this article, all you need is to be registered or login on Mondaq.com.
In August 2022, the Consumer Financial Protection Bureau (CFPB) published a circular confirming that, under certain circumstances, entities may “violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security.” The circular sets forth the CFPB's analysis of relevant laws governing data security for financial institutions and provides several examples where a failure to implement certain data security measures may increase the risk that an entity's conduct triggers liability under the CFPA.
The CFPB states in the circular that inadequate security for the protection of sensitive consumer information collected, processed, maintained, or stored by “covered persons” and “service providers” can constitute an unfair practice in violation of the CFPA, 12 U.S.C. § 5536(a)(1)(B). The CFPA defines an unfair act or practice as an act or practice (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition. See 12 U.S.C. § 5531(c). According to the CFPB, inadequate security measures are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. The CFPB also specifies that inadequate data security can be an unfair practice even in the absence of a breach or intrusion, and that actual injury is not required to satisfy the first prong of the unfair act or practice standard set forth above.
The CFPB de ..
Support the originator by clicking the read the rest link below.