Financial companies that don't protect consumer data may violate federal consumer protection law, a federal agency said.
The Consumer Financial Protection Bureau issued a circular that outlines financial firms' responsibilities to guard consumer data, saying that failure to do so could be a violation of the Consumer Financial Protection Act.
The move is part of a set of broader policy statements and
"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud and abuse," CFPB Director Rohit Chopra said in a statement. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common sense steps to protect personal financial data."
The CFPB said it's increasing its focus on the "potential misuse and abuse of personal finance data." In the circular, the agency specifies that acts and practices are unfair when they're likely to cause substantial harm, and when the financial company wouldn't put itself at a competitive disadvantage by preventing that harm.
Specifically, the agency listed multifactor authentication, password management and timely software updates as methods financial companies should use to prevent consumer harm regarding personal data. If a company doesn't have any of these preventative measures, the CFPB said that's unlikely to have any countervailing benefits, and could cause substantial consumer harm.
Notably, the agency said that a company doesn't need to experience a data breach in order for its protection of consumer data to be deemed inadequate and for the firm to be violating the Consumer Financial Protection Act.
"Actual injury is not required to satisfy this prong in every case," the CFPB said. "A significant risk of harm is also sufficient."
Practices that "are likely to cause" substantial injury, such as inadequate data security measures, may violate the law, the agency warned.
The CFPB cited
"While the prohibition on unfair practices is fact-specific, the experience of the agencies suggests that failure to implement common data security practices will significantly increase the likelihood that a firm may be violating the prohibition," the agency said.