On August 11, 2022, the CFPB issued a circular on data security and the question “[c]an entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”  The short answer is “yes.”

The CFPB highlights specific security measures to minimize risk. In line with the new GLBA Safeguards Rule, the measures include using multifactor authentication, requiring strong password management, and insuring timely software updates and patches.