The Consumer Financial Protection Bureau (CFPB) recently confirmed in a circular that financial companies might violate federal consumer financial protection law when failing to safeguard consumer data.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common-sense steps to protect personal financial data.”
Per the CFPB, financial companies are at risk of violating the Consumer Financial Protection Act if they do not have adequate measures to protect against data security incidents, with the agency citing the 2017 Equifax data breach as an example.
Two years ago, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security.
According to the CFPB circular, multi-factor authentication increases the level of difficulty for adversaries to compromise enterprise user accounts and gain access to sensitive customer data; unauthorized password use is a common data security issue, as well as the use of default enterprise logins or passwords; and protocols immediately updating software and addressing vulnerabilities once they become publicly known can reduce such circumstances.