Data security: It’s also a UDAAP issue

The Consumer Financial Protection Bureau (CFPB or bureau) recently published a “consumer financial protection circular” that concluded having insufficient data protection or information security could be an unfair act or practice, thereby implicating the federal prohibition against unfair, deceptive or abusive acts or practices (UDAAP).

To review, credit unions are already subject to a number of requirements relating data protection. For example, Part 748 of the National Credit Union Administration (NCUA) regulations includes the requirement to develop a written security program that addresses how the credit union will “[e]nsure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member.” Additionally, Appendix B to Part 748 provides guidelines for a credit unions to use when creating programs to respond to unauthorized access to member information. Finally, NCUA recently issued a proposed rule regarding notification requirements for certain cyber incidents, which we previously blogged about here.

The circular notes that other data protection and information security rules exist, but “[w]hile these requirements often overlap, they are not coextensive.” Thus, when considering practices and procedures for safeguarding member data and information, a credit union now needs to consider all of those NCUA requirements and the possibility of UDAAP risk.

Here is the CFPB’s justification for subjecting a credit union’s data security practices to UDAAP:

 

continue reading »