A new circular from the CFPB provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.

The CFPB says that it is increasing its focus on potential misuse and abuse of personal financial data and, as part of this effort, the circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents, according to the bureau.

The circular also provides examples of widely implemented data security practices. And, although the circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act, it notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act, including:

• multi-factor authentication;
• adequate password management; and
• timely software updates.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said Rohit Chopra, CFPB director. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”