From: Bloomberg Law: Banking
Data Security
The authors examine the Consumer Financial Protection Bureau’s foray into data security enforcement by assessing how the bureau’s data security authority compares with that of other federal regulators. The authors analyze the bureau’s first data security enforcement and highlight open questions regarding the CFPB’s data security agenda.
By Michael Gordon, Elijah Alper and Leah Schloss
The Consumer Financial Protection Bureau (CFPB) announced its intention to act as a data security regulator by releasing its first unfair, deceptive or abusive acts or practices (UDAAP) enforcement action for allegedly deceptive statements about data security practices after remaining largely silent on the topic for more than four years. The CFPB’s March enforcement action, against a small payments company, contains only a modest civil money penalty and does not require payments to customers. The language in the bureau’s action suggests that it expects regulated companies to implement certain data security processes and that it may take further enforcement action in the area of data security.
Despite this enforcement threat, the bureau has provided virtually no guidance on the specific data security practices it expects companies to follow. Nor has it explained how it will determine whether data security measures are “reasonable” or “industry standard.” While other federal agencies have released extensive rulemaking and guidance on data security, the bureau has not indicated whether it will act consistently with that prior guidance, or whether it will require its regulated institutions to adopt more stringent data security practices. The bureau’s first data security enforcement action provides little guidance for regulated entities concerned about data security.
Leave a Reply