TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1478106
46 | M R EP O RT SERVICING THE LATEST O R I G I NAT I O N S E R V I C I N G DATA G O V E R N M E N T S E C O N DA R Y M A R K E T CFPB Circular Addresses Potential Misuse of Personal Financial Data The Bureau notes that inadequate authentication, password management, or software update policies or practices are likely to cause substantial in- jury to consumers. T he Consumer Finan- cial Protection Bureau (CFPB) confirmed in a published circular that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforc- ers, including examples of when firms can be held liable for lax data security protocols. "Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," CFPB Director Rohit Chopra said. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take common sense steps to pro- tect personal financial data." The CFPB is increasing its fo- cus on potential misuse and abuse of personal financial data. As part of these efforts, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with re- spect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents. Past data security incidents, including the 2017 Equifax data breach, have led to the harvest- ing of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in ad- dition to other laws. For ex- ample, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security. The circular also provides exam- ples of widely implemented data security practices. The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm's conduct triggers liability under the Consumer Financial Protection Act, including: • Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phish- ing, such as those using the Web Authentication standard supported by web browsers. • Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using pass- words, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords. • Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continu- ously emerging threats. Upon announcement of these updates to address vulnerabilities, hack- ers immediately become aware that firms using older ver- sions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.