[Federal Register Volume 87, Number 171 (Tuesday, September 6, 2022)] [Rules and Regulations] [Pages 54346-54349] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2022-19075] ======================================================================= ----------------------------------------------------------------------- BUREAU OF CONSUMER FINANCIAL PROTECTION 12 CFR Chapter X Consumer Financial Protection Circular 2022-04: Insufficient Data Protection or Security for Sensitive Consumer Information AGENCY: Bureau of Consumer Financial Protection. ACTION: Consumer Financial Protection Circular. ----------------------------------------------------------------------- SUMMARY: The Consumer Financial Protection Bureau (Bureau or CFPB) has issued Consumer Financial Protection Circular 2022-04, titled, ``Insufficient Data Protection or Security for Sensitive Consumer Information.'' In this circular, the Bureau responds to the question, ``Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?'' DATES: The Bureau released this circular on its website on August 11, 2022. ADDRESSES: Enforcers, and the broader public, can provide feedback and comments to [email protected]. FOR FURTHER INFORMATION CONTACT: Jaclyn Sellers, Senior Counsel, Office of Supervision, Fair Lending and Enforcement, at (202) 435-2661. If you require this document in an alternative electronic format, please contact [email protected]. SUPPLEMENTARY INFORMATION: Question Presented Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security? Response Yes. In addition to other Federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), ``covered persons'' and ``service providers'' must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B). While these requirements often overlap, they are not coextensive. Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion. Analysis Widespread data breaches and cyberattacks have resulted in significant harms to consumers, including monetary loss, identity theft, significant time and money spent dealing with the impacts of the breach, and other forms of financial distress. Providers of consumer financial services are subject to specific requirements to protect consumer data. In 2021, the Federal Trade Commission (FTC) updated its Safeguards Rule implementing section 501(b) of GLBA, to set forth specific criteria relating to the safeguards that certain nonbank financial institutions must implement as a part of their information security programs.\1\ These safeguards, among other things, limit who can access customer information, require the use of encryption to secure such information, and require the designation of a single qualified individual to oversee an institution's information security program and report at least annually to the institution's board of directors or equivalent governing body. The Federal banking agencies also have issued interagency guidelines to implement section 501 of GLBA.\2\ --------------------------------------------------------------------------- \1\ 86 FR 70272 (Dec. 9, 2021). \2\ See 66 FR 8616 (Feb. 1, 2001). These guidelines are currently codified at 12 CFR pt. 30, appendix B (OCC); Regulation H, 12 CFR 208, appendix D-2 (Board); Regulation Y, 12 CFR 225, appendix F (Board); 12 CFR pt. 364, appendix B (FDIC). --------------------------------------------------------------------------- In certain circumstances, failure to comply with these specific requirements may also violate the CFPA's prohibition on unfair acts or practices. The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.\3\ --------------------------------------------------------------------------- \3\ 12 U.S.C. 5531(c). The unfairness standard in the CFPA is similar to the unfairness standard in section 5 of the Federal Trade Commission Act. --------------------------------------------------------------------------- A practice causes substantial injury to consumers when it causes significant harm to a few consumers or a small amount of harm to many consumers. For example, inadequate data security measures can cause significant harm to a few consumers who become victims of targeted identity theft as a result, or it can cause harm to potentially millions of consumers when there are large customer-base-wide data breaches. Information security weaknesses can result in data breaches, cyberattacks, exploits, ransomware attacks, and other exposure of consumer data.\4\ --------------------------------------------------------------------------- \4\ Compliance Management Review--Information Technology, CFPB Examination Procedures (Sept. 2021), https://files.consumerfinance.gov/f/documents/cfpb_compliance-management-review-information-technology_examination-procedures.pdf. --------------------------------------------------------------------------- Further, actual injury is not required to satisfy this prong in every case. A significant risk of harm is also sufficient. In other words, this prong of unfairness is met even in the absence of a data breach. Practices that ``are likely to cause'' substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.\5\ --------------------------------------------------------------------------- \5\ See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 246 (3d Cir. 2015) (``Although unfairness claims `usually involve actual and completed harms,' `they may also be brought on the basis of likely rather than actual injury,' `[and] the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.' '') (interpreting unfairness standard in the FTC Act, for which precedent is often used in interpreting the similar CFPA standard) (citations omitted). --------------------------------------------------------------------------- [[Page 54347]] Consumers cannot reasonably avoid the harms caused by a firm's data security failures. They typically have no way of knowing whether appropriate security measures are properly implemented, irrespective of disclosures provided. They do not control the creation or implementation of an entity's security measures, including an entity's information security program. And consumers lack the practical means to reasonably avoid harms resulting from data security failures.\6\ --------------------------------------------------------------------------- \6\ FTC v. Neovi, Inc., 598 F. Supp. 2d 1104, 1115 (S.D. Cal. 2008) (``[C]onsumers who had their bank accounts accessed without authorization had no chance whatsoever to avoid the injury before it occurred.''). --------------------------------------------------------------------------- Where companies forgo reasonable cost-efficient measures to protect consumer data, like those measures identified below, the CFPB expects the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition. The CFPB is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely to have been caused by a company's poor data security practices was outweighed by countervailing benefits to consumers or competition.\7\ Given the harms to consumers from breaches involving sensitive financial information, this is not surprising. --------------------------------------------------------------------------- \7\ FTC v. Neovi, 604 F.3d 1150, 1158 (9th Cir. 2010) (``The FTC also met its burden of showing that consumer injury was not outweighed by countervailing benefits to consumers or to competition.''); FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014) (defendant challenged first two elements, but not the countervailing benefits finding). --------------------------------------------------------------------------- Relevant Precedent On July 22, 2019, the CFPB alleged that Equifax violated the CFPA's prohibition on unfair acts or practices.\8\ The FTC also alleged that Equifax violated the FTC Act and the FTC's Safeguards Rule, which implements section 501 of GLBA and establishes certain requirements that nonbank financial institutions must adhere to in order to protect financial information.\9\ --------------------------------------------------------------------------- \8\ Complaint at 39-53, BCFP v. Equifax, Inc., 1:19-cv-03300 (N.D. Ga. July 22, 2019), https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf. The FTC also alleged that Equifax violated the FTC Act's prohibition on unfair acts or practices. \9\ Complaint at 45-46, FTC v. Equifax, Inc., 1:19-mi-99999-UNA (N.D. Ga. July 22, 2019), https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_complaint_7-22-19.pdf. --------------------------------------------------------------------------- In its complaint against Equifax, the CFPB alleged an unfairness violation based on Equifax's failure to provide reasonable security for sensitive personal information it collected, processed, maintained, or stored within computer networks.\10\ In particular, Equifax violated the prohibition on unfairness (as well as the FTC's Safeguards Rule) by using software that contained a known vulnerability and failing to patch the vulnerability for more than four months. Hackers exploited the vulnerability to steal over 140 million names, dates of birth, and SSNs, as well as millions of telephone numbers, email addresses, and physical addresses, and hundreds of thousands of credit card numbers and expiration dates.\11\ --------------------------------------------------------------------------- \10\ Complaint at 40-42, BCFP v. Equifax, Inc., https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf. \11\ The CFPB, FTC, and state Attorneys General imposed $700 million in relief and penalties against Equifax. --------------------------------------------------------------------------- Before the Equifax matter, law enforcement actions related to inadequate authentication triggered liability under the FTC Act's prohibition on unfair practices. In 2006, the FTC sued online check processor Qchex and related entities for violating the FTC Act. The FTC alleged that it was an unfair practice to create and deliver checks without verifying that the person requesting the check was authorized to draw checks on the associated bank account.\12\ Qchex created checks ``even when the customer's name differed from the name on the bank account listed on the checks or from the name on the credit card account the customer used to pay for [Qchex's] services.'' \13\ --------------------------------------------------------------------------- \12\ See Complaint at 10, FTC v. Neovi, Inc., 598 F. Supp. 2d 1104 (S.D. Cal. 2008) (No. 06 Civ. 1952), aff'd, 604 F.3d 1150 (9th Cir. 2010). \13\ Id. at 5. --------------------------------------------------------------------------- Even after setting up certain identity verification procedures, Qchex bypassed those procedures for some customers.\14\ Ultimately, a court observed, ``it was a simple matter for unscrupulous opportunists to obtain identity information and draw checks from accounts that were not their own.'' \15\ That court confirmed that Qchex injured consumers by creating and delivering unverified checks, in violation of section 5 of the FTC Act.\16\ Implementation of common-sense practices--including those that are now required under the FTC's Safeguards Rule--protects consumers from injury and that, in turn, mitigates potential liability for businesses. --------------------------------------------------------------------------- \14\ Id. at 6. \15\ Neovi, Inc., 604 F.3d at 1154. \16\ Id. at 1157. --------------------------------------------------------------------------- Liability for unfair acts or practices has also been triggered in the context of password management and routine software updates. In 2012, the FTC sued multiple entities associated with the Wyndham hospitality company for their failures ``to employ reasonable and appropriate measures to protect personal information against unauthorized access'' in violation of the FTC Act's prohibitions on deceptive and unfair acts and practices.\17\ The inadequate data security practices included ``using outdated operating systems that could not receive security updates or patches to address known security vulnerabilities,'' servers that used ``well-known default user IDs and passwords . . . which were easily available to hackers through simple internet searches,'' and password management policies that did not require ``the use of complex passwords for access to the Wyndham- branded hotels' property management systems and allow[ing] the use of easily guessed passwords.'' \18\ --------------------------------------------------------------------------- \17\ First Amended Complaint at 19, FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014) (No. 13 Civ. 1887), aff'd, 799 F.3d 236 (3d Cir. 2015). \18\ Id. at 11. --------------------------------------------------------------------------- The FTC alleged that, due to these and other deficient security measures, ``intruders were able to gain unauthorized access to [Wyndham's] computer network . . . on three separate occasions'' and retrieved ``customers' payment card account numbers, expiration dates, and security codes.'' \19\ One such incident led to ``the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers' payment card account numbers to a domain registered in Russia.'' \20\ When Wyndham argued that data security issues were outside the bounds of the FTC's unfairness authority, the courts confirmed that ``the FTC has authority to regulate cybersecurity under the unfairness prong of'' section 5(a) of the FTC Act and that regulated entities have adequate notice that cybersecurity issues could lead to violations of that provision.\21\ --------------------------------------------------------------------------- \19\ Id. at 12-13. \20\ Id. at 15. \21\ Wyndham Worldwide Corp., 799 F.3d at 240. --------------------------------------------------------------------------- In March 2022, the FTC announced an administrative complaint and proposed consent orders against Residual Pumpkin Entity, LLC and PlanetArt, LLC, respectively the former and current operators of CafePress, a customized [[Page 54348]] merchandise e-commerce platform.\22\ The FTC's complaint documented several inadequate data security practices, including the failure to ``implement patch management policies and procedures to ensure timely remediation of critical security vulnerabilities,'' the failure to ``establish or enforce rules sufficient to make user credentials (such as username and password) hard to guess,'' the failure to disclose security incidents to relevant parties, and inadequate ``measures to prevent account takeovers through password resets using data known to have been obtained by hackers.'' \23\ --------------------------------------------------------------------------- \22\ CafePress, 87 FR 16187 (FTC Mar. 22, 2022) (analysis of proposed consent orders to aid public comment). \23\ Complaint at 4-5, In re Residual Pumpkin Entity, LLC and PlanetArt, LLC, No. 1923209, (FTC June 23, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/1923209CafePressComplaint.pdf. --------------------------------------------------------------------------- While the prohibition on unfair practices is fact-specific, the experience of the agencies suggests that failure to implement common data security practices will significantly increase the likelihood that a firm may be violating the prohibition. In the examples below, the Circular describes conduct that will typically meet the first two elements of an unfairness claim (likely to cause substantial injury to consumers that is not reasonably avoidable by consumers), and thus increase the likelihood that an entity's conduct triggers liability under the CFPA's prohibition of unfair practices. 1. Multi-Factor Authentication Multi-factor authentication (MFA) is a security enhancement that requires multiple credentials (factors) before an account can be accessed.\24\ Factors fall into three categories: something you know, like a password; something you have, like a token; and something you are, like your fingerprint. A common MFA setup is supplying both a password and a temporary numeric code in order to log in. Another MFA factor is the use of hardware identification devices. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. MFA solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers, are especially important. --------------------------------------------------------------------------- \24\ Back to Basics: What's multi-factor authentication--and why should I care?, National Institute of Standards and Technology, https://www.nist.gov/blogs/cybersecurity-insights/back-basics-whats-multi-factor-authentication-and-why-should-i-care. --------------------------------------------------------------------------- If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability.\25\ --------------------------------------------------------------------------- \25\ For a more thorough discussion of MFA, please refer to Cybersecurity & Infrastructure Security Agency's (CISA's) Multi- Factor Authentication page, or the National Institute of Standards and Technology's (NIST's) Digital Identity Guidelines. Multi-Factor Authentication, CISA, https://www.cisa.gov/mfa; Digital Identity Guidelines: Authentication and Lifecycle Management; Authenticator Assurance Level 2, NIST, (June 2017), https://pages.nist.gov/800-63-3/sp800-63b.html. --------------------------------------------------------------------------- 2. Password Management Unauthorized use of passwords is a common data security issue. Username and password combinations can be sold on the dark web or posted for free on the internet, which can be used to access not just the accounts in question, but other accounts held by the consumer or employee. If a covered person or service provider does not have adequate password management policies and practices, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability.\26\ This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notifying users when a password reset is required as a result) and includes use of default enterprise logins or passwords. --------------------------------------------------------------------------- \26\ Good Security Habits, CISA, (Feb. 1, 2021), Good Security Habits [verbar] CISA. --------------------------------------------------------------------------- 3. Timely Software Updates Software vendors regularly update software to address security vulnerabilities within a program or product. When patches are released, the public, including hackers, become aware of the prior vulnerabilities. Therefore, when companies use commonly available software, including open-source software and open-source libraries,\27\ and do not install a patch that has been released for that software or take other mitigating steps if patching is not possible, they neglect to fix a security vulnerability that has become widely known. As noted in the CFPB's complaint against Equifax, Equifax's 2017 failure to patch a known vulnerability resulted in hackers gaining access to Equifax's systems that exposed the personal information of nearly 148 million consumers.\28\ --------------------------------------------------------------------------- \27\ FTC warns companies to remediate Log4j security vulnerability (Jan. 4, 2022), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability. (``Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021- 44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications.'') \28\ Complaint at 13, BCFP v. Equifax, Inc., https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf. --------------------------------------------------------------------------- If covered persons or service providers do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability. This includes not having asset inventories of which systems contain dependencies on certain software to make sure software is up to date and highlight needs for patches and updates. It also includes the use of versions of software that are no longer actively maintained by their vendors. About Consumer Financial Protection Circulars Consumer Financial Protection Circulars are issued to all parties with authority to enforce Federal consumer financial law. The CFPB is the principal Federal regulator responsible for administering Federal consumer financial law, see 12 U.S.C. 5511, including the Consumer Financial Protection Act's prohibition on unfair, deceptive, and abusive acts or practices, 12 U.S.C. 5536(a)(1)(B), and 18 other ``enumerated consumer laws,'' 12 U.S.C. 5481(12). However, these laws are also enforced by State attorneys general and State regulators, 12 U.S.C. 5552, and prudential regulators including the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the National Credit Union Administration. See, e.g., 12 U.S.C. 5516(d), 5581(c)(2) (exclusive enforcement authority for banks and credit unions with $10 billion or less in assets). Some Federal consumer financial laws are also enforceable by other Federal agencies, including the Department of Justice and the Federal Trade Commission, the Farm Credit Administration, the Department of Transportation, and the Department of Agriculture. In addition, some of these laws provide for private enforcement. Consumer Financial Protection Circulars are intended to promote [[Page 54349]] consistency in approach across the various enforcement agencies and parties, pursuant to the CFPB's statutory objective to ensure Federal consumer financial law is enforced consistently. 12 U.S.C. 5511(b)(4). Consumer Financial Protection Circulars are also intended to provide transparency to partner agencies regarding the CFPB's intended approach when cooperating in enforcement actions. See, e.g., 12 U.S.C. 5552(b) (consultation with CFPB by State attorneys general and regulators); 12 U.S.C. 5562(a) (joint investigatory work between CFPB and other agencies). Consumer Financial Protection Circulars are general statements of policy under the Administrative Procedure Act. 5 U.S.C. 553(b). They provide background information about applicable law, articulate considerations relevant to the Bureau's exercise of its authorities, and, in the interest of maintaining consistency, advise other parties with authority to enforce Federal consumer financial law. They do not restrict the Bureau's exercise of its authorities, impose any legal requirements on external parties, or create or confer any rights on external parties that could be enforceable in any administrative or civil proceeding. The CFPB Director is instructing CFPB staff as described herein, and the CFPB will then make final decisions on individual matters based on an assessment of the factual record, applicable law, and factors relevant to prosecutorial discretion. Rohit Chopra, Director, Consumer Financial Protection Bureau. [FR Doc. 2022-19075 Filed 9-2-22; 8:45 am] BILLING CODE 4810-AM-P