Last August, we blogged about a Third Circuit decision that held the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act. In our blog post, we commented that banks and other companies subject to the CFPB’s jurisdiction faced the possibility that the CFPB could begin using its Dodd-Frank authority to bring enforcement actions against companies engaged in unfair, deceptive, and abusive acts and practices (UDAAP) to regulate cybersecurity policies and procedures. The CFPB’s announcement yesterday of its first data security enforcement action demonstrates that our concerns were well-founded.
The CFPB’s target in this action was Dwolla, Inc., a company that operates an online payment system and uses consumers’ personal information to complete financial transactions. The CFPB lacks enforcement authority with respect to the data security provisions of Gramm-Leach-Bliley. In targeting Dwolla, the CFPB apparently decided that it could use its UDAAP authority with respect to data security matters. Focusing on the UDAAP deception prong, the CFPB alleged that the company failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards. The CFPB’s action significantly ups the ante for large banks and non-banks subject to the CFPB’s enforcement jurisdiction.
For more about the action, see our legal alert. On March 18, 2016, Ballard Spahr will conduct a webinar, “The CFPB’s First Data Security Enforcement Action – Its Significance for Banks and Non-Banks.” A link to register is available here.