Compliance Blog

Aug 22, 2022

Data Security: It’s Also a UDAAP Issue

The Consumer Financial Protection Bureau (CFPB or bureau) recently published a “consumer financial protection circular” that concluded having insufficient data protection or information security could be an unfair act or practice, thereby implicating the federal prohibition against unfair, deceptive or abusive acts or practices (UDAAP).

To review, credit unions are already subject to a number of requirements relating data protection. For example, Part 748 of the National Credit Union Administration (NCUA) regulations includes the requirement to develop a written security program that addresses how the credit union will “[e]nsure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member.” Additionally, Appendix B to Part 748 provides guidelines for a credit unions to use when creating programs to respond to unauthorized access to member information. Finally, NCUA recently issued a proposed rule regarding notification requirements for certain cyber incidents, which we previously blogged about here.

The circular notes that other data protection and information security rules exist, but “[w]hile these requirements often overlap, they are not coextensive.” Thus, when considering practices and procedures for safeguarding member data and information, a credit union now needs to consider all of those NCUA requirements and the possibility of UDAAP risk.

Here is the CFPB’s justification for subjecting a credit union’s data security practices to UDAAP:

Acts or practices are unfair when they cause or are likely to cause substantial injury that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition.

(emphasis added).

Importantly, the CFPB points out that inadequate data security practices can also be “unfair” even when no data breach has occurred. The bureau states that the “substantial injury” prong of the unfairness analysis “is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”  The bureau’s analysis also goes on to discuss how consumers are unable to avoid the potential injury posed by inadequate data security practices, as most consumers are not familiar with the institution’s data security implementation or procedures.

The bureau also explains how, in their view, this conclusion is consistent with previous UDAAP precedent, discussing how their 2019 lawsuit against Equifax alleged inadequate data security practices amounted to unfair acts or practices. The bureau also discusses unfairness claims brought by the Federal Trade Commission (which had rulemaking and enforcement authority over unfair and deceptive acts or practices before the CFPB was created, and which still has UDAP authority over certain sectors) in both early and recent cases.

The bureau identifies the following circumstances as increasing the likelihood that a credit union’s data security practices will be inadequate and therefore a potential UDAAP issue:

  • Failing to offer multifactor authentication to employees or consumers;
  • Having inadequate password management policies or practices, such as using default enterprise logins or passwords, or failing to “monitor for breaches at other entities where employees may be re-using logins and passwords” and failing to notify users when a password reset is required as a result;
  • Failing to routinely “update systems, software, and code (including those utilized by contractors)” or failing patch known security vulnerabilities in commonly available software, including open source software and open source libraries.

Credit unions may want to review their data security practices to determine how they compare to the practices described in the CFPB circular. In addition, it may be helpful for credit unions to review the Architecture, Infrastructure and Operations booklet in the FFIEC’s Information Technology Examination Handbook, which also describes best practices for data security.

If there are any remaining questions, please contact us at compliance@nafcu.org

*****

Reg School On-Demand

Earn the highly-sought-after, award-winning NCCO and boost your career—all from your home or office. Register for NAFCU’s Regulatory Compliance School On-Demand. Here’s the agenda.

About the Author

Nick St. John, NCCO, NCBSO, Director of Regulatory Compliance, NAFCU

Nick St. John, Regulatory Compliance Counsel, NAFCUNick St. John, was named Director of Regulatory Compliance in August 2022. In this role, Nick helps credit unions with a variety of compliance issues.

Read full bio