BLOG

Question: Can weak password management or other ineffective information technology controls be considered UDAAP violations?

Answer:

According to the Consumer Financial Protection Bureau (CFPB), yes. The CFPB’s Supervisory Highlights, Issue 30 (Summer 2023) indicated that CFPB examiners found institutions engaged in unfair acts or practices by failing to implement adequate information technology security controls that could have prevented or mitigated cyberattacks. The CFPB pointed to the following specific issues cited by examiners:

• Weak password management policies;
• Failure to establish adequate log-in attempt controls; and
• Failure to adequately implement multifactor authentication or a reasonable equivalent.

The CFPB rationalized that, in the instances reviewed, lacking information technology controls caused substantial consumer harm as bad actors were able to take advantage of the vulnerabilities and steal consumer funds. Further, the CFPB indicated that consumers were also injured because they had to devote significant time and resources to dealing with the impacts of the breach (i.e. time enrolling in credit monitoring and/or identity theft protection services, and/or changing their log-in credentials). The CFPB noted impacted consumers could not reasonably avoid such injuries as they did not have control over the institutions’ security measures. Further, the CFPB concluded that the injuries to consumers outweighed any countervailing benefits, such as avoiding the cost of implementing information technology controls necessary to prevent these types of attacks.