By: Casey Reilly

Last month, two federal United States agencies, the Consumer Financial Protection Bureau (“CFPB”) and the Federal Trade Commission (“FTC”), indicated their separate intent to tighten existing consumer security protocols.  The CFPB issued a circular, which is a policy statement that advises relevant authorities on how to enforce federal laws related to consumer financials.  Meanwhile, the FTC issued an Advance Notice of Proposed Rulemaking (ANPR) requesting public comment on protecting consumers’ privacy and strengthening companies’ security posture.

The CFPB is the primary regulator of federal consumer financial law.  As stated in 12 U.S. Code § 5511 the purpose of the CFPB is to “enforce federal consumer financial law consistently for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent, and competitive.”  Circulars are published to promote consistency and provide transparency across the various enforcement agencies of CFPB.  On August 11, 2022, the CFPB issued a circular stating any covered entities, including nonbank institutions and financial technology companies, who fail to implement and maintain a certain level of adequate security practices to protect sensitive personal information could be in violation of the Consumer Financial Protection Act (CFPA) as an unfair, deceptive, or abusive act.

What is the certain base level to remain in compliance?  The CFPB outlined three basic “bare minimum” requirements: multifactor authentication, password management, and regular timely updates to software systems.  Multifactor authentication, commonly referred to as “MFA,” requires two or more independent credentials to verify a user’s identity.  By combining something that the user knows, like a password, with something that the user has, such as a security token, it is much more difficult for an unauthorized person to gain access to the user’s account.  Second, password management enables a secure way to store passwords and access them quickly, if required.  When done properly, password management eliminates one of the most common access points for data breaches.  Finally, covered entities are obligated to install updates and patches as they are released and replace outdated software systems that no longer receive support or ongoing maintenance.

Additionally, the goal of the FTC’s ANPR is to strengthen companies’ data security practices and control the level of commercial surveillance.  The FTC defines both data security and commercial surveillance broadly.  Commercial surveillance is “the business of collecting, analyzing, and profiting from information about people,” while data security refers to “breach risk mitigation, data management and retention, data minimization, and breach notification, and disclosure practices.”  While the FTC is still in the process of writing rules related to data security, certain requirements will likely include: encryption of all information in transit and at rest, multifactor authentication, asset and data inventory, access controls, and secure development practices.  Most recently, on September 8, 2022, the FTC held a public forum where they allowed individuals to submit proposed data security rules to be considered between now and the end of October.

Historically, the FTC has only been able to govern major companies that have breached privacy agreements with an agency.  These proposed rules will shift governance to include personal consumer data collected by companies like Alphabet Inc. and Meta Platforms Inc.  According to the rulemaking notice, the agency is concerned about any business that tracks consumer behavior across websites and apps to deliver personalized ads or those that use data-driven algorithms to unlawfully discriminate against consumers.

Although the proposed regulations of both agencies are not yet finalized, they are timely in signifying the importance of data security best practices among financial institutions and non-bank companies that handle consumers’ personally identifiable information.  Inadequate security measures by companies have potential to cause significant harm for consumers that is ultimately out of their control.  Often times, consumers neither control the creation nor implementation of the companies’ security measures.  Furthermore, they really have no practical way to determine the level of security their data is receiving once it is out of their own hands.  As a result, the CFPB has reiterated that an actual breach need not to occur for an injury to satisfy the unfair act or practice violation of the CFPA.

What is next for companies governed under the CFPA?  They will need to take steps to reevaluate their existing information security programs and ensure that they are in compliance with updated protocols.  In addition, more stringent requirements could be enacted within the FTC’s space of breach notification obligations.  Ultimately, these enhanced security measures represent a proactive method to better safeguard consumers’ personal information.

 

Student Bio: Casey Reilly is a second-year student at Suffolk University Law School.  She is a staff writer on the Journal of High Technology Law.  Prior to law school, Casey received a Bachelor of Science Degree in International Business, with a concentration in Finance from Bryant University and spent several years working at a financial services institution in Boston.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.