Skip to content

Licensing

Only Make Privacy Promises You Can Keep: Data Security and Cyber Readiness - Top Regulatory Priorities

Regulators at the federal and state levels are focused on non-banks' cyber-readiness. In August 2022, the Consumer Financial Protection Bureau (CFPB) released circular 2022-04, confirming that a company's failure to safeguard consumer information, even if unintentional, could count as an unfair act or practice. Here is what the rule signals and how firms can prepare.

← All articles
Filed under Licensing

Regulatory Focus on Cyber-readiness is Expanding

Regulators at the federal and state levels are paying close attention to non-banks' cyber-readiness. In August 2022, the Consumer Financial Protection Bureau (CFPB) released its circular 2022-04. The circular confirmed that a company's failure to safeguard consumer information, even if unintentional, could count as an "unfair act or practice." Consumer Financial Protection Circular 2022-04: Insufficient data protection or security for sensitive consumer information | Consumer Financial Protection Bureau (consumerfinance.gov)

The CFPB announcement is the third major regulatory development tied to non-banks' cybersecurity programs. It also confirms the Bureau's support for how the Federal Trade Commission (FTC) has viewed these failures for the past two decades. The FTC treats a company's failure to keep its privacy promises as an unfair act or practice. Eli Lilly Settles FTC Charges Concerning Security Breach | Federal Trade Commission

The FTC has also finalized and published a new and improved Safeguards Rule. Its effective date is roughly 100 days out, on December 9, 2022. FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches | Federal Trade Commission. The updated rule spells out features the FTC expects in a company's information security program.

State regulators are active too. They have released data security tools and inspection protocols for overseeing nonbanks. Earlier last month, the Conference of State Bank Supervisors (CSBS) released detailed tools for state examiners nationwide to assess the cyber-preparedness of nonbank entities. CSBS Releases Nonbank Cybersecurity Examination Tools | Orrick InfoBytes

This summer, the New York Department of Financial Services (NYDFS) released draft amendments to its Part 500 Cybersecurity Rules, with only a brief month-long comment period. The amendments would add a mandatory 24-hour notification for cyber ransom payments, annual independent cyber audits for larger entities, and other stronger expectations for board oversight. The comment period ended August 18, 2022, and we await the NYDFS next steps. NYDFS Proposes Significant Changes to Its Cybersecurity Rules | Debevoise & Plimpton

How to Prepare?

So what can a company do now to prepare for this heightened regulatory interest? The CFPB stressed the importance of "common data security practices." Start with the basics.

Make sure your organization has run a recent, up-to-date data security gap assessment. Make sure your written information security program is current, comprehensive, and well-known to your workforce.

The CFPB also called out three specific practices:

  1. Use the security enhancement known as multi-factor authentication (MFA) for both employees and consumers who access systems or accounts that hold consumers' non-public information.
  2. Strengthen password management. Put processes in place for security incidents that may compromise passwords, so employees and consumers are notified immediately to reset passwords when an incident or breach may have put their access controls at risk.
  3. Keep a software update and maintenance program in place. Apply all updates, enhancements, and security patches promptly so systems, software, and code stay current.

The CFPB has reminded the public that the 2017 Equifax incident came from a failure to patch a known vulnerability. That gap gave hackers access to nearly 150 million consumers' information within Equifax's systems.

Where to Start?

If you are unsure where to start, check with an information security expert. You can also review the written information security program tools recently published by CSBS CSBS Releases Nonbank Cybersecurity Examination Tools | Orrick InfoBytes or the HIPAA data security tool recently updated by NIST SP 800-66 Rev. 2 (Draft), Implementing the HIPAA Security Rule | CSRC (nist.gov). The Commonwealth of Massachusetts also publishes a sample "written information security program" among its public materials, right here WISP sample template (Community InRoads).

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

Maryland Rent Collection in 2026: 7 Licensing Risks Property Managers Must Avoid

Licensing

Maryland Rent Collection in 2026: 7 Licensing Risks Property Managers Must Avoid

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

Licensing Challenges for Mortgage Servicers

Licensing

Licensing Challenges for Mortgage Servicers

Mortgage servicers play a central role in the housing finance system. They collect borrower payments, manage escrow accounts, respond to customer inquiries, and step in with loss mitigation or foreclosure processes when borrowers fall behind. Servicers act as the day-to-day managers of loans after origination, ensuring that cash flows properly between borrowers and investors. Since [...]

The Pros and Cons of Outsourcing Debt Collection for Startups and Small Businesses

Licensing

The Pros and Cons of Outsourcing Debt Collection for Startups and Small Businesses

Cash flow is the lifeblood of every startup. When customers delay or default on payments, even the most innovative ideas can stall. Founders often face a critical challenge: Should we collect overdue invoices ourselves, or hand them off to a third-party debt collection agency? Outsourcing debt collection - sometimes called debt recovery outsourcing - has become increasingly common for [...]

DCA Produces NYC's Foreign Languages Services Documentation Requirements

Licensing

DCA Produces NYC's Foreign Languages Services Documentation Requirements

DCA Produces NYC's Foreign Languages Services Documentation Requirements On June 27, 2020 new rules from New York City's Department of Consumer Affairs (DCA) took effect that, among other things, require debt collectors (first and third party) to request and record the language preference of each consumer from whom they collect and inform each consumer [...]

Debt Collection Bonding Requirements in New York City

Debt Collection & Buying

Debt Collection Bonding Requirements in New York City

A question we hear on a regular basis regarding collections in New York City is, "Is there a surety bond requirement that accompanies the license requirement?" The broad answer is "yes" - there is a debt collection bond requirement in NYC. But there is a huge caveat. The bond is only required for agencies that [...]

Debt Collection Laws

Debt Collection & Buying

Debt Collection Laws

*As of this writing - these are accurate. Cornerstone Support is not responsible for decisions based on this web content - please consult legal counsel before implementing based on information in this guide* Debt Collection Laws If you're in debt collection, then you are well aware of the importance of following the debt collection laws [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.