On August 11, 2022, the CFPB issued the above Circular 2022-04 ( herein “Circular”) in which the CFPB answers the question “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”
The Circular answers “Yes” to that question. It states: “‘[C]overed persons’ and ‘service providers’ must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B).” “Covered person” is defined in 12 U.S.C. 5481(6) as “(A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person.” “Service provider” is defined in 12 U.S.C. 5481(26) as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.”
Full Memorandum
