On August 11, the Consumer Financial Protection Bureau (CFPB) published a circular, answering the question “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?” with a resounding “yes.” Specifically, the CFPB pointed to three practices — inadequate authorization, poor password management, and lax software update policies — as examples of data security practices that would likely cause substantial unavoidable injury to consumers without a countervailing benefit and that could trigger liability for financial institutions and/or their service providers. Failure to comply with these requirements may violate the CFPA’s prohibition on unfair acts or practices.
The CFPA defines an unfair act or practice as one that:
- Causes or is likely to cause substantial injury to customers;
- Notably, actual injury is not required to satisfy this prong in every case. A significant risk of harm is also sufficient. In other words, this prong of the test is met even in the absence of a data breach if the inadequate data security measures “are likely to cause” substantial injury.
- Is not reasonably avoidable by consumers; and
- The circular noted that consumers cannot reasonably avoid the harms caused by a firm’s data security failures as they have no way of knowing whether appropriate security measures are properly implemented and have no control over the creation or implementation of an entity’s security measures.
- Is not outweighed by countervailing benefits to consumers or competition.
- The CFPB noted it is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely caused by a company’s poor data security practices are outweighed by countervailing benefits to consumers or competition.
While the circular did not state that any particular security practices were required under the CFPA, it did note that the failure to implement the following measures may increase the risk of liability.
- Multifactor Authentication: This security enhancement requires multiple credentials, such as requiring both a password and a temporary numeric code, for consumers to log in to their account. While not outright requiring this measure, the circular states: “If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability.”
- Adequate Password Management: Unauthorized use of passwords is a common security concern. Usernames and passwords can be sold on the dark web or posted freely on the internet. To combat this, the CFPB now expects covered persons or service providers to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords and notifying users when a password reset is required as a result.
- Timely Software Updates: Software vendors often send out patches and other updates to address emerging threats. When the updates are announced, hackers immediately become aware of the vulnerabilities in the old software and move to exploit them. If covered persons or service providers do not routinely update systems, software, and code or fail to update them when notified of a critical vulnerability, they could be at risk for liability from the CFPB.
Seven Action Items for Financial Services and Other Organizations. While the CFPB guidance focuses on three leading controls that often lead to catastrophic ransomware, data exfiltration, and other cyber impacts, these controls only work in tandem with a comprehensive information security program. To ensure a program is comprehensive, most financial institutions build their security programs around recognized industry frameworks (e.g., ISO 27001, NIST Cybersecurity Framework, Center Internet Security (CIS) 18, and others). In any event, leading companies at a minimum maintain the controls identified in the CFPB guidance as part of the following essential seven industry practices:
- Inventory/Scope Location of Company Crown Jewels. Know your organization and maintain a current list of your people and critical software, hardware, network, and sensitive data assets and know how they interrelate with one another. Knowing the boundaries of your IT and location of your data and crown jewels allows for focus and the creation of the baseline of expected processes and behaviors that makes it easier to spot abnormal actions.
- Implementation Tip: Use It or Lose It. If you don’t need it, then safely discard that asset and turn off access. For example, it’s far too easy to forget about that neglected website that malicious agents can use to access your internal systems. Always remember to remove former employees or vendors access and authorization rights.
- Classify the Data and Assess All Risks and Threats to the Data. Once the location, nature, and criticality of your data has been inventoried, many companies are developing data classification policies and performing a risk assessment to identify the various threat actors and risks to the data — not just cyber risks, but physical security vulnerabilities, vendor risks, and knowledgeable insiders).
- Implementation Tip: Practice Makes Perfect. While historically primarily an IT activity, legal is increasingly involved in both (1) classifying the criticality and sensitivity of data based on the increasing patchwork of privacy and security laws and (2) conducting “mock” assessments of how the CFPB, FTC, OCR, and/or other regulator would review their security program and efforts.
- Develop a Comprehensive Information Security Policy Suite. Clearly stated expectations and requirements gives guidance for everyone in the company, as well as vendors and customers.
- Implementation Tip: Rely or Refer to Industry Standards. Sources can include NIST, ISO, PCI, FFIEC, SEC, PSD2 in the EU, BASEL III, CCPA-related U.S. and international privacy laws, SEC, and other laws.
- Maintain and Test Key Access Controls, Including Complex and Unique Passwords and Multifactor Authentication. Given the increasing threat of credential stuffing (i.e., exfiltrating user IDs and passwords at one site and using them at another site where the user has reused the same ID and password), requiring employees and potentially users to use credentials unique to your organization is of increasing importance.
- Implementation Tip: Be Sure to Zone Out. In addition to password management and multifactor authentication, companies are using network zoning and related techniques to separate highly sensitive systems handling financial data from other production and test systems, and they are managing access controls on a need-to-know and role-based basis.
- Software Updates and Patch Management. As lack of patching is the leading cause of catastrophic cyberattacks and exfiltration of data, companies are increasingly rolling out policies and procedures to ensure that their organization keeps software current with the latest patch versions (and contract requirements to ensure that vendors and suppliers do the same).
- Implementation Tip: Use Threat Intelligence to Get Smart. Many companies are increasingly subscribing to threat intelligence (or using the CIS, NIST, PCI, CSA, and other technical resources) for lists of industry threats and trends, emerging cyber vulnerabilities, and available patches/fixes in an effort to harden systems and thwart breaches.
- Encryption and Backup Are a Critical Pairing. While not part of the CFPB guidance, in the event of a ransomware attack or other cyber catastrophe, to be able to recover quickly and restore accurate data, it is critical for companies to encrypt and back up critical data and software and store it in a secure offsite location.
- Implementation Tip: Hide the Backup. Hackers have been deleting backups found on compromised systems, so it is essential to have data backups stored offline beyond their reach.
- Train, Train, Train. As human error is often the root cause of a cyber vulnerability, many companies are increasing the frequency and scope of security training.
- Implementation Tip. Many companies are running cyber simulations tabletop exercises to conduct a “dress rehearsal” on coordination of roles in the event of a cyber simulation and employing tools to test their staff preparedness to detect and avoid various phishing techniques and scams used by hackers to gain access to financial systems.
Troutman Pepper will continue to monitor important developments involving the CFPB and data security enforcement and will provide further updates as they become available.