Data-Safeguard Legal/Reputational Risk
Using another of its tools to set policy without prior public comment, the CFPB has released a circular stating that inadequate consumer-data safeguards may constitute a breach of the unfair, deceptive, or abusive acts or practices (UDAAP) protection standards subject to Bureau enforcement action. This is the case even if no consumers have been harmed, if only one consumer is adversely affected, or if a small amount of actual or potential damage puts many consumers at risk. The Bureau also prescribes data-safeguard standards firms and service providers must ensure to comply with CFPB expectations.