QUESTION
Last year, we were criticized by our regulator for not “safeguarding consumer data.” We revamped our policies and procedures for several weeks, hired an IT company, did penetration testing, and even hired a law firm to check our system. They brought in a firm such as yours to do an overview of our policies. So, we thought we covered all the bases.
We have just received a letter from the regulator. They are requesting an on-site visit soon. This was expected. But as we got ready for the examination, we learned that the CFPB is going after consumer protection violations, such as connecting to UDAAP violations.
Since we covered everything – or thought we did! – it would be great if you could fill in any possible blanks to prepare for the coming examination.
What important actions can we take to double-check our consumer data security?
ANSWER
Safeguarding consumer data requires constant vigilance. Some companies dwell on the digital aspects, but that is certainly not enough, nor is it so narrowly adduced. I think your question is best understood in the context of insufficient data protection because insufficient data protection may indeed lead to UDAAP violations.
The nexus to UDAAP violations is likely what the CFPB has in mind concerning safeguarding sensitive consumer information.[i] While the prohibitions in UDAAP are fact-specific, failure to implement common data security practices will significantly increase the likelihood that a firm may be violating UDAAP.
The CFPB issuance you mention is meant to increase the focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB is explaining how and when firms may be violating the Consumer Financial Protection Act (CFPA) with respect to data security. Specifically, financial companies are at risk of violating the CFPA if they fail to have adequate measures to protect against data security incidents.
I am going to describe the CFPB’s view of conduct that typically meets the first two elements of a UDAAP claim, that is, (1) the likeliness to cause substantial injury to consumers and (2) that it is not reasonably avoidable by consumers, which then increases the risk that an entity’s conduct triggers liability under the CFPA’s prohibition of unfair practices.
To put this in stark, declarative terms:
Inadequate data security can be an unfair practice in the absence of a breach or intrusion.[ii]
Note that the linkage to UDAAP does not only involve inadequate data security, but also it pertains even in the absence of a breach or intrusion. How did we get here?
Past data security incidents did it! For instance, the 2017 Equifax data breach led to the harvesting of sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the CFPA and other laws. In the case of Equifax, the CFPB alleged that Equifax violated the CFPA’s prohibition on unfair acts or practices.[iii] The Federal Trade Commission (FTC) also alleged that Equifax violated the FTC Act and the FTC’s Safeguards Rule, which implements Section 501 of the Gramm-Leach-Bliley Act (GLBA) and establishes certain requirements that nonbank financial institutions must adhere to for the protection of financial information.[iv]
Providers of consumer financial services are subject to specific requirements to protect consumer data.
Safeguards
In 2021, the FTC updated its Safeguards Rule, implementing section 501(b) of the GLBA to set forth specific criteria relating to the safeguards that certain nonbank financial institutions must implement as a part of their information security programs.
Among other things, these safeguards include:
· Limiting who can access customer information.
· Require the use of encryption to secure such information.
· Require the designation of a single qualified individual to oversee an institution’s information security program, who reports at least annually to the institution’s board of directors or equivalent governing body.
The federal banking agencies also have issued interagency guidelines to implement section 501 of the GLBA.
Failure to comply with these requirements may violate the CFPA’s prohibition on unfair acts or practices in certain circumstances.
Here’s a Rule of Thumb for defining an unfair act or practice: it is an act or practice
· That causes or is likely to cause substantial injury to consumers,
· Which is not reasonably avoidable by consumers, and
· Is not outweighed by countervailing benefits to consumers or competition.
Turning to insufficient data protection, there are at least three safeguards you can implement that may serve to overcome allegations of not sufficiently protecting sensitive consumer data. I will discuss them briefly here. However, your policies and procedures must require them, and you must test their implementation regularly.
Safeguard Number One: Multi-Factor Authentication
Multi-factor authentication (MFA) is a security enhancement that requires multiple credentials (factors) before an account can be accessed. There are three satisfactory types of MFA:
1. Something you know, like a password.
2. Something you have, like a token.
3. Something you are, like your fingerprint.
Many of our clients use a common MFA setup that supplies both a password and a temporary numeric code to log in. Another MFA factor is the use of hardware identification devices. There are levels of security. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts and thus gain access to sensitive customer data. MFA solutions that protect against credential phishing – like using the web authentication standard supported by web browsers – are especially important.
If your company or your service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts – or has not implemented a reasonably secure equivalent – it’s unlikely that you can adequately demonstrate that countervailing benefits to consumers or competition outweigh the potential harms. If that happens, you may well have caused a substantial increase in liability risk.[v]Safeguard Number Two: Password Management
Most of us know that unauthorized use of passwords is a data security issue. Did you know that username and password combinations can be sold on the dark web or posted for free on the Internet? Once in the hands of criminals, this information is used to access accounts held by the consumer or employee.
If your company or your service provider does not have adequate password management policies and practices, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms. Consequently, liability risk increases. This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notification to users when a password reset is required as a result) and including the use of default enterprise logins or passwords.[vi]
Safeguard Number Three: Timely Software Updates
Software vendors regularly update software to address security vulnerabilities within a program or product. When patches are released, the public becomes aware of the prior vulnerabilities – but so do the hackers! Therefore, when companies use commonly available software[vii] and do not install a patch that has been released for that software or take other mitigating steps (if patching is not possible), they neglect to fix a security vulnerability that has become widely known.
In the CFPB’s aforementioned complaint against Equifax, Equifax’s 2017 failure to patch a known vulnerability resulted in hackers gaining access to Equifax’s systems, exposing the personal information of nearly 148 million consumers.
If your company or your service providers do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability.[viii]
This includes not having asset inventories of which systems contain dependencies on certain software to ensure the software is up to date and highlighting the need for patches and updates. It also includes the use of versions of software that are no longer actively maintained by their vendors.
Chairman & Managing Director
[i] Insufficient Data Protection or Security for Sensitive Consumer Information, Consumer Financial Protection, Circular 2022-04, August 11, 2022
[ii] Idem
[iii] Complaint at 39-53, BCFP v. Equifax, Inc., 1:19-cv-03300 (N.D. Ga. July 22, 2019). The FTC also alleged that Equifax violated the FTC Act’s prohibition on unfair acts or practices.
[iv] Complaint at 45-46, FTC v. Equifax, Inc., 1:19-mi-99999-UNA (N.D. Ga. July 22, 2019)
[v] Op. cit i, p 6
[vi] Op. cit. i, p 7
[vii] Including open-source software and open-source libraries.
[viii] Op. cit. i, 7-8