The Consumer Financial Protection Bureau (“CFPB”) recently issued Consumer Financial Protection Circular 2022-04, confirming its increased focus on financial companies that violate federal consumer financial protection law when they fail to safeguard consumer data and warned the industry against shoddy data protection practices. The circular posed this broader question to the industry: Can an entity be cited for a violation of the prohibition on unfair acts or practices in the Consumer Financial Protection Act (“CFPA”) when it has insufficient data protection or information security? The circular raised two important issues which are:
- In addition to the Safeguard Rules issued under the Gramm-Leach-Bliley Act (“GLBA”), “covered persons” and “service providers” must also comply with Consumer Financial Protection Act (“CFPA”) in the protection of sensitive consumer information, such that they two are not “coextensive” of overlapping requirements; and
- Insufficient information security controls to protect the personal data of customers can be deemed a violation of the unfair acts or practices prohibitions of CFPA – even in absence of consumer harm or a breach.
This circular is another indication of the CFPB increasing scrutiny of companies’ mishandling of consumers’ financial data…
