Extracted from Law360
On Aug. 11, the Consumer Financial Protection Bureau and the Federal Trade Commission made waves by signaling their intent to crack down on inadequate data security controls to safeguard consumer personal information.
The CFPB published a circular[1] stating that covered persons or service providers — as defined in Title 12 of the U.S. Code, Section 5481 — including nonbank institutions and financial technology companies, may violate the Consumer Financial Protection Act, or CFPA, for inadequate data security controls to safeguard sensitive consumer information.
On the same day, the FTC issued an advance notice of proposed rulemaking, or ANPR,[2] to request public comment on whether new rules are needed to address the harms resulting from commercial surveillance and lax data security practices.
Both the circular and the ANPR are broad and could establish extensive data security requirements for covered businesses that handle personal information.
The CFPB's Circular on Data Protection and Information Security
The CFPB asserts that failure to implement and maintain adequate security practices to protect sensitive personal information could constitute an unfair, deceptive or abusive act or practice, or UDAAP, in violation of the CFPA.
A UDAAP is defined as an act or practice that:
- Causes or is likely to cause substantial injury to consumers;
- Is not reasonably avoidable by consumers; and
- Is not outweighed by countervailing benefits to consumers or competition.
The circular makes it clear that neither an actual injury nor a data breach or computer intrusion are required to run afoul of the CFPA's prohibition on UDAAPs — inadequate security measures alone may impose a significant risk to consumers and constitute a UDAAP.
Importantly, in the Dodd-Frank Act, Congress explicitly did not grant the CFPB the authority to write a Safeguards Rule or to enforce the Safeguards Rule.
Indeed, the Safeguards Rule issued under the Gramm-Leach-Bliley Act — which applies to the same financial institutions that fall under the CFPA and was promulgated by and is enforced by the FTC, not the CFPB — imposes certain affirmative obligations to maintain adequate security controls to protect consumers' personal information.
This includes the requirement for nonbanking financial institutions to develop, implement and maintain a comprehensive written information security program with appropriate administrative, technical and physical safeguards.
The recently amended FTC Safeguards Rule[3] includes greater specificity on the necessary security controls. The circular asserts that the requirements in the Safeguards Rule and the prohibition on UDAAPs "often overlap, [but] they are not coextensive."
Consequently, it appears that the CFPB, originally created by Congress in the Dodd-Frank Act, is using the existing legal structure to broadly interpret what security controls — or lack of security controls — would be considered a violation of the CFPA, despite the same statute denying the CFPB the authority to write or enforce a Safeguards Rule.
Through the circular, the CFBP does indeed appear to be venturing into data security regulation.
While the CFPB explicitly "does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act," it identifies the failure to implement three common data security practices — multifactor authentication, adequate password management and timely software updates — to potentially be inadequate data security.
Certainly, since the CFPB has not generally provided other guidance on reasonable security or data security standards or practices, the question remains how it may otherwise interpret what would be considered adequate data security practices.
The FTC's ANPR on Commercial Surveillance and Lax Data Security Practices
The FTC issued the ANPR requesting public comment[4] on whether new rules are necessary to protect consumers' privacy and information, specifically to curb commercial surveillance and strengthen companies' data security posture.
The two Republican FTC commissioners — Noah Phillips and Christine Wilson — voted against issuing the ANPR, arguing that it is Congress that should enact comprehensive privacy legislation, not the FTC, and noted that because Congress is close to passing the American Data Privacy and Protection Act, or ADPPA, issuing the ANPR is premature.
The ANPR covers an enormous array of data privacy and security topics, including:
- Harms to consumers from commercial surveillance;
- Unique harms to children;
- Cost-benefit analysis and considerations of a proposed rule;
- Artificial intelligence and machine learning, and potential discrimination from such automated processes;
- Consumer consent, notice, transparency and disclosure about commercial surveillance; and
- Remedies.
The FTC provides a lengthy list of 95 questions, broken out by topic, on which interested parties can comment, including:
- "Should, for example, new rules require businesses to implement administrative, technical, and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality, or integrity of covered data? If so, which measures? How granular should such measures be? Is there evidence of any impediments to implementing such measures?";
- "Do the data security requirements under the Children's Online Privacy Protection Act or the Gramm-Leach-Bliley Act Safeguards Rule offer any constructive guidance for a more general trade regulation rule on data security across sectors or in other specific sectors?";
- "Should the commission take into account other laws at the state and federal level[s] (e.g., the Children's Online Privacy Protection Act) that already include data security requirements. If so, how? Should the Commission take into account other governments' requirements as to data security (e.g., GDPR). If so, how?";
- "Which, if any, commercial incentives and business models lead to lax data security measures or harmful commercial surveillance practices? Are some commercial incentives and business models more likely to protect consumers than others? On which checks, if any, do companies rely to ensure that they do not cause harm to consumers?"; and
- "Are there practices or [security] measures to which children or teenagers are particularly vulnerable or susceptible?"
Overall, it is evident the FTC wants to curb data collection, processing and monetization practices, and establish stricter, more prescriptive data security requirements as a means of incentivizing companies to make the proper investments in their privacy and data security programs.
Historically, the FTC has used its statutory authority under Section 5 of the FTC Act — which, similar to the CFPA, makes unfair or deceptive acts or practices in or affecting commerce unlawful — to bring enforcement actions against entities within its jurisdiction, including nonbank financial institutions and other companies that have insufficient data security controls to safeguard consumer personal information.
The FTC has also promulgated rules pursuant to sector-specific statutes, such as the Children's Online Privacy Protection Act and the recently amended Safeguards Rule.
According to the Democratic commissioners, these enforcement actions and sector-specific rules have resulted in a piecemeal regulatory approach to data privacy and security.
This piecemeal approach, coupled with several other factors, has prompted the FTC to use its authority to approach data security by authoring rules under Section 18 of the FTC Act, more commonly known as Magnuson-Moss rulemaking.
One factor is the FTC's limited ability to seek monetary damages from first-time violators.[5] The FTC also lacks adequate remedies; an injunction does not help a consumer whose personal information has already been compromised in a data breach.
Magnuson-Moss rulemaking requires the FTC to find unfair or deceptive acts or practices that are prevalent. The finding can be based on FTC cease-and-desist orders or on other information indicating a widespread pattern of unfair or deceptive acts or practices.
Since at least the 1980s, the FTC has generally declined to use its Magnuson-Moss rulemaking authority because of the extremely arduous process required to actually promulgate a rule using this authority — which on average has taken more than seven years.
While FTC Chair Lina Khan acknowledged Magnuson-Moss' shortcomings, she noted it would allow the FTC to impose civil penalties on first-time violators — the FTC Act currently restricts the FTC in this regard. It appears that the FTC sees public comment in response to the ANPR as the other information that it may need to ultimately propose a new rule.
While the lengthy rulemaking process will perhaps allow Congress the opportunity to consider the ADPPA, Phillips raised concerns in his dissent about the rulemaking derailing the ADPPA. The FTC is holding a public forum Sept. 8,[6] with comments on the ANPR due Oct. 21.
Key Points in the ANPR
Scope includes employees as well as consumers.
The term "consumer" in the ANPR includes businesses and workers, not just individuals who transact with the business for goods and services.
The FTC wants to protect not just traditional consumers, but companies' employees, which will likely require companies to reconsider their overall data privacy and security programs.
Scope could apply broadly to a company's data privacy practices.
The ANPR aims to enhance companies' data security practices and control commercial surveillance.
In the ANPR press release,[7] the FTC defines "commercial surveillance" to mean "the business of collecting, analyzing, and profiting from information about people." This definition is broad, suggesting that the FTC's rules could dictate a company's entire data privacy practices.
It appears that the FTC purposefully chose surveillance to express the breadth and pervasiveness of — problematic, in the FTC's eyes — data practices.
Many of the data practices are unknown to consumers, which is a driving motivation in the ANPR:
Companies reportedly surveil consumers while they are connected to the internet — every aspect of their online activity, their family and friend networks, browsing and purchase histories, location and physical movements, and a wide range of other personal details.
Prescriptive data security requirements may be considered.
The FTC defines "data security" broadly to mean "breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices."
The FTC may draw some of the prescriptive requirements from the recently amended Safeguards Rule implementing Section 501(B) of the GLBA, which includes detailed information security requirements that nonbanking financial institutions are required to implement as part of their information security programs.
These prescriptive requirements include access controls, asset and data inventory, encryption of all customer information in transit and at rest with some exceptions for compensating controls, secure development practices, multifactor authentication with some exceptions for compensating controls, and periodic penetration testing and vulnerability assessments, among other security measures.
Some of these measures were effective starting Jan. 10, and the rest will come into effect Dec. 9.
Moreover, it will be interesting to see if a potential rule, under the "breach notification and disclosure practices" portion of the "data security" definition in the ANPR, incorporates the de facto breach notification obligations, set forth in the FTC's recently published blog post, which uses Section 5 of the FTC Act to potentially create new breach notification obligations.[8]
Conclusion
Even though the ultimate impact of the CFPB's circular and the FTC's potential final rule are unknown, it is clear that enhancing data security programs to protect personal information is a critical area companies cannot ignore.
While no data security rule from the FTC is imminent, with the CFPB signaling that it intends to bring UDAAP enforcement actions against covered persons and service providers for failing to maintain adequate data security controls, covered persons and service providers should strongly consider reviewing their data security practices.
This is especially important for practices identified by the CFPB as potentially problematic — lack of multifactor authentication, inadequate password management and untimely software updates — to protect systems that may access or store consumers' personal information.
[1] Consumer Financial Protection, "Circular 2022-04: Insufficient Data Protection or Security for Sensitive Consumer Information," August 11, 2022, available at https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/.
[2] Federal Trade Commission, "Trade Regulation Rule on Commercial Surveillance and Data Security," available at https://www.ftc.gov/system/files/ftc_gov/pdf/commercial_surveillance_and_data_security_anpr.pdf.
[3] Kathleen Benway, Kim Peretti, and Kate Hanniford, "FTC Revises the Safeguards Rule and Proposes Mandatory Reporting of Cybersecurity Events," Alston & Bird Privacy, Cyber & Data Strategy Blog, November 1, 2021, available at https://www.alstonprivacy.com/ftc-revises-the-safeguards-rule-and-proposes-mandatory-reporting-of-cybersecurity-events/.
[4] Federal Trade Commission, "Trade Regulation Rule on Commercial Surveillance and Data Security," 87 Fed. Reg. 51273.
[5] Kathleen Benway and Robert H. Poole II, "Supreme Court Slashes FTC's Favored Route to Consumer Redress and Disgorgement," April 27, 2021, available at https://www.alston.com/en/insights/publications/2021/04/supreme-court-slashes-ftcs-favored-route.
[6] Federal Trade Commission, "Commercial Surveillance and Data Security Public Forum," https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum.
[7] Federal Trade Commission, "FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices," August 11, 2022, available at https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices.
[8] Federal Trade Commission, "Security Beyond Prevention: The Importance of Effective Breach Disclosures," May 20, 2022, available at: https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures; Alexander G. Brown, Kathleen Benway, and Daniel J. Felz, "FTC Blog Seems to Widen Scope of Breach Reporting Law," Law360, June 1, 2022.