The Consumer Financial Protection Bureau (CFPB) confirmed in a circular that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols. "Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," said CFPB Director Rohit Chopra. "While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data." The CFPB is increasing its focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents. Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. The circular also provides examples of widely implemented data security practices; however, the circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act.