CFPB Warning on Data Protection

The Consumer Financial Protection Bureau has issued a fresh warning to financial firms that they must keep customer data safe, and cited three specific cybersecurity controls as measures that firms should implement if they want to avoid liability under federal consumer protection law. 

The CFPB fired its warning shot on Thursday afternoon in the form of a circular, which is guidance the agency provides to enforcement staff — and which corporate compliance officers should read closely, so you know what to expect when an agency enforcement officer sits across from you at the conference table. This particular circular says that a company’s failure to implement adequate data protection measures can qualify as an unfair practice prohibited under the Consumer Financial Protection Act. 

Banks already have to meet high data protection standards to comply with the Gramm-Leach-Bliley Act. The CFPB notice is more a warning to “covered persons” and “service providers” to the financial sector, that they too have privacy obligations they need to meet.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB director Rohit Chopra said in a statement. “While many non-bank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common-sense steps to protect personal financial data.”

Translation: the CFPB is going to start bringing charges against more companies for sloppy data protection programs. 

The CFPB sanctioning firms for poor data security is not exactly new. For example, in 2019 the agency charged Equifax with violating the Consumer Financial Protection Act, in the wake of Equifax’s massive privacy breach in 2017. That breach arose from Equifax using a piece of open-source software known as web struts, which included an unpatched security flaw that ultimately exposed the data of 140 million consumers. 

Now the CFPB says that sort of mistake — failing to patch software in a timely manner — is precisely the sort of thing that will get a financial firm into trouble. 

Three Security Controls

The CFPB circular stressed the importance of three specific security controls for effective data protection:

  • Multi-factor authentication
  • Password management
  • Timely software updates

To be clear, the Consumer Financial Protection Act does not expressly tell financial firms to implement the above controls. Rather, the CFPB says, the absence of those three controls “might increase the risk that a firm’s conduct triggers liability” under the law. Which is a roundabout way of telling everyone that, yes, you should have these three controls in place.

Some specific points about each one:

Multi-factor authentication. “If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent,” then the firm probably can’t avoid liability in the event of a breach, the circular says.

So right away, my question would be whether IT auditors and cybersecurity risk managers know when they’re supposed to require MFA for employees: under what conditions (say, logging in from a remote network) or for what transactions (creating a super-user or administrator account, for example). CISA and other regulators have stressed the importance of MFA numerous times, and the SEC has even taken enforcement actions against some firms for failing to implement it where warranted.

Adequate password management. Inadequate password management, the circular said,  includes “failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notifying users when a password reset is required as a result), and includes use of default enterprise logins or passwords.”

So that’s a policies-and-procedures exercise. For example, you’d need policies requiring default passwords on all new hardware to be changed, and be well-served to have an audit of that policy sometime shortly thereafter. You might also want to drop an MFA control into your password reset policy for especially sensitive data or high-level administrator accounts. 

Timely software updates. “If covered persons or service providers do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability,” that could trigger liability, the circular says. Even better:

​​This includes not having asset inventories of which systems contain dependencies on certain software to make sure software is up to date and highlight needs for patches and updates. It also includes the use of versions of software that are no longer actively maintained by their vendors.

In other words, companies will need to pay lots of attention to their IT controls over patch management, software development, and even block-and-tackle stuff like maintaining a current IT asset inventory. It’s also interesting to see the reference to contractors, which means we have a third-party risk management dimension to all this too. 


Broadly speaking, CISOs and IT auditors at firms that act as service providers to financial institutions — communication platforms, data storage providers, marketing databases, and so forth — could have a lot to do here. At the least, you should start with those three controls mentioned above and be sure that you’ve implemented them to a degree you could defend if a data breach ever happened at your organization.

What’s interesting to me is that those three controls are all process-level controls to keep data secure. So audit and risk managers need to understand either how people interact with the data (multi-factor authentication and password management), or how the company manages IT to support the enterprise (timely patch management). 

You’ll need to know the business, which means close interaction between audit teams and the operating units. Funny how that concept keeps coming up more and more often in modern cybersecurity risk management.

Leave a Comment

You must be logged in to post a comment.