The Consumer Financial Protection Bureau recently confirmed that companies without adequate safeguards to protect consumer data are at greater risk of being held liable under the Consumer Financial Protection Act.
According to an Aug. 11 circular, failing to implement the following data security measures places companies at risk:
- Multi-factor authentication: “Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data,” the CFPB stated. “Multi-factor authentication can protect against credential phishing, such as those using the web authentication standard supported by web browsers.”
- Adequately managing passwords. According to the CFPB, unauthorized use of passwords and default enterprise logins or passwords could lead to username and password combinations being sold on the dark web or posted online for free, increasing the risk of future breaches. “For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords,” the CFPB stated.
- Timely software updates. Hackers learn that firms are potentially using vulnerable versions of software once vendors and creators send patches and other updates to address emerging threats. “Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities,” the CFPB stated.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud and abuse,” CFPB Director Rohit Chopra said in the circular. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common-sense steps to protect personal financial data.”
A number of high-profile data breaches have taken place in recent years. In 2019, the CFPB, Federal Trade Commission and state attorney generals reached a $700 million settlement with the credit reporting agency Equifax for violating the Consumer Financial Protection Act, following the company’s 2017 data breach that compromised the private records of approximately 147 million Americans.