On March 2, 2016, the CFPB announced that it had settled an enforcement action with Dwolla, Inc., an online payment platform, for making allegedly deceptive statements regarding its data security practices and the safety of its online payment system. Dwolla agreed to pay a $100,000 civil penalty and to undertake measures to improve its data security.
The CFPB Formally Enters the Data Security Enforcement Space. The CFPB now joins the cacophony of regulatory agencies—including the FTC, the SEC, the FCC, and State Attorneys General—that have brought enforcement proceedings against companies related to their data security practices. The CFPB’s interest in penalizing companies for allegedly deceptive data security representations suggests future enforcement activity in this area, particularly given that the CFPB brought this action without an alleged data breach. Companies subject to CFPB jurisdiction should consider themselves on notice to adopt the data security standards that the CFPB is likely to expect from the financial services industry, as further discussed below. The CFPB has asserted itself as a data security enforcement agency even though Title X of the Dodd-Frank Act expressly withholds authority from the CFPB to enforce the financial institutions safeguards rules under the Gramm-Leach-Bliley Act, unlike other financial sector regulators including the Federal Reserve System, the FDIC and the OCC.
The CFPB Duplicates an FTC Enforcement Theory. Rather than relying on any direct regulatory authority over Dwolla’s data security practices, the CFPB invoked its general authority to penalize regulated entities engaging in any unfair, deceptive, or abusive act or practice (“UDAAP”). The FTC has previously asserted claims under a similar theory in dozens of data security-related enforcement actions.