BNA INSIGHTS: The CFPB and Data Security Enforcement

Data Security

The authors examine the Consumer Financial Protection Bureau's foray into data security enforcement by assessing how the bureau's data security authority compares with that of other federal regulators. The authors analyze the bureau's first data security enforcement and highlight open questions regarding the CFPB's data security agenda.

Michael  Gordon Elijah Alper Leah Schloss

By Michael Gordon, Elijah Alper and Leah Schloss

Michael Gordon is a Partner in the Washington office of WilmerHale and Chair of the firm's Consumer Financial Protection Bureau Practice. He joined WilmerHale after spending four years in senior positions at the CFPB, helping to design, build and set priorities for the Bureau since its inception.

Elijah Alper is Counsel in the Washington office of WilmerHale, where he advises financial institutions in supervisory and enforcement matters regarding traditional consumer finance and emerging technologies.

Leah Schloss is a Senior Associate in the Washington office of WilmerHale, where she advises clients on cybersecurity, government contracts, and export control investigative, regulatory and compliance issues.

The Consumer Financial Protection Bureau (CFPB) announced its intention to act as a data security regulator by releasing its first unfair, deceptive or abusive acts or practices (UDAAP) enforcement action for allegedly deceptive statements about data security practices after remaining largely silent on the topic for more than four years. The CFPB's March enforcement action, against a small payments company, contains only a modest civil money penalty and does not require payments to customers. The language in the bureau's action suggests that it expects regulated companies to implement certain data security processes and that it may take further enforcement action in the area of data security.

Despite this enforcement threat, the bureau has provided virtually no guidance on the specific data security practices it expects companies to follow. Nor has it explained how it will determine whether data security measures are “reasonable” or “industry standard.” While other federal agencies have released extensive rulemaking and guidance on data security, the bureau has not indicated whether it will act consistently with that prior guidance, or whether it will require its regulated institutions to adopt more stringent data security practices. The bureau's first data security enforcement action provides little guidance for regulated entities concerned about data security.

In this article, we examine the CFPB's foray into data security enforcement action by assessing how the bureau's data security authority compares with that of other federal regulators. We then analyze the bureau's first data security enforcement and highlight open questions regarding the CFPB's data security agenda.

Existing Federal Data Security Regulation Outside the CFPB

The CFPB has joined a crowded field of federal regulators policing data security through authority granted by several statutes and regulations. There is no universal federal law on data security, and jurisdiction is shared among regulators that oversee banks, nonbank financial services companies and nonfinancial companies.

Of all federal regulators, the Federal Trade Commission (FTC) has been the most active in data security to date. The FTC relies on two authorities to enforce data security compliance: (1) statutory authority to police unfair and deceptive acts or practices under Section 5 of the FTC Act, and (2) its authority to enforce its “safeguards” regulations promulgated under the Gramm-Leach-Bliley Act (GLBA). The federal banking agencies have similar authority over their regulated institutions.

FTC Section 5 Enforcement: The FTC has used its authority under Section 5 to bring more than 60 enforcement actions since 2002 against companies for engaging in allegedly “unfair” or “deceptive” data security practices. The FTC has alleged that companies acted “deceptively” by making material and false statements about their data security practices that misled consumers, and it has claimed that companies acted “unfairly” when allegedly lax data security practices caused (or were likely to cause) sensitive consumer information to be stolen through security breaches. The FTC believes that such conduct is unfair under Section 5 of the FTC Act because consumers are reasonably likely to be harmed when their sensitive information is compromised, and consumers cannot avoid such injury.

The FTC's authority to enforce lax data security practices as “unfair” conduct is not fully resolved, especially where no data breach took place. In November 2015, the FTC's chief administrative law judge dismissed an FTC complaint against LabMD, holding that consumer harm that is merely possible due to alleged data security weaknesses — without any evidence to support that such harm is in fact likely — is insufficient to prove unfairness under Section 5 of the FTC Act. The case is on administrative appeal to the full FTC, and oral argument was held March 8. The FTC did prevail earlier in 2015 on a challenge to its unfairness authority, when the Third Circuit Court of Appeals, in a case against Wyndham hotels, affirmed that the FTC's unfairness authority allows it to bring enforcement actions for lax data security. However — unlike in LabMD — in the Third Circuit case, the FTC alleged an actual data breach resulting in a specific alleged loss to consumers.

The FTC first released guidance in 2007 identifying what it considers reasonable data security standards for protecting personal information, and it updated this guidance in 2011. Together with the FTC's extensive enforcement history, the guidance provides companies with a detailed road map for complying with the FTC's data security expectations.

The Third Circuit pointed to this guidance, as well as the FTC's history of publishing complaints and consent decrees, in holding that Wyndham had fair notice that its specific cybersecurity practices might be interpreted by the FTC as “unfair” conduct under Section 5 of the FTC Act.

FTC Safeguards Rule: In addition to its Section 5 authority, the FTC regulates data security through powers granted to it by the GLBA. That statute directed the FTC and federal banking agencies to establish “appropriate standards” for financial institutions to establish administrative, technical and physical safeguards relating to the security and confidentiality of customer information.

The FTC's implementing regulations, commonly referred to as the “Safeguards Rule,” require those financial institutions subject to the FTC's GLBA jurisdiction to implement and maintain a comprehensive written data security program addressing a few basic prescribed security issues, but the Safeguards Rule generally does not specify details about the types of data security measures the institutions must implement. The FTC has enforced the Safeguards Rule through more than 10 public actions (all against nonbanks) for alleged violations.

Federal Banking Agencies: Separately, the federal banking agencies promulgated the Interagency Guidelines for Safeguarding Consumer Information. Like the FTC's Safeguards Rule for nonbanks, the Interagency Guidelines implement the GLBA's data security provisions for institutions regulated by the federal banking regulators, but the Interagency Guidelines are generally more detailed and demanding.

For example, unlike the FTC Safeguards Rule, the Interagency Guidelines require involvement from bank directors and senior leadership, and they require banks to take an active role in overseeing data security practices of their service providers.

These Interagency Guidelines have been supplemented by various guidance documents and bulletins by the Federal Financial Institutions Examination Council (FFIEC). Most significantly, the FFIEC Information Security Booklet, one of the booklets that comprise the FFIEC Information Technology Examination Handbook, includes detailed guidance on information security practices federal financial examiners expect financial institutions to implement.

The CFPB's Potentially Powerful Data Security Authority

The Dodd-Frank Act did not explicitly direct the bureau to regulate data security, nor is there an obvious gap in federal data security oversight that only the bureau can fill. However, the bureau's UDAAP powers allow it to participate in data security supervision, rulemaking and enforcement.

Like the FTC, the CFPB can assert that its UDAAP authority permits it to take enforcement action against companies for alleged data security practices or statements it finds unfair or deceptive, and the CFPB can also penalize companies for practices it deems abusive.

However, it is far from clear that Congress intended the bureau to use its UDAAP authority in this way. The Dodd-Frank Act granted the bureau authority over virtually every federal consumer financial law, including the GLBA's provisions regarding consumer privacy, but it expressly carved out the GLBA's data security provision that underlies the FTC's Safeguards Rule and the Interagency Guidelines. Thus it appears that Congress intended the bureau's data security authority to be narrower than that reserved for the FTC and federal banking agencies, if Congress intended the bureau to be a data security regulator at all.

While the FTC's and CFPB's jurisdiction over unfair and deceptive acts and practices may cover similar conduct, there are key differences between the power each agency has to enforce these provisions:

  • Civil Money Penalties (CMPs): The bureau can assess civil penalties for any UDAAP violation, while the FTC can assess penalties only in limited circumstances, such as for violations of existing administrative orders. CMP authority is particularly important in data security actions, where it might be difficult to estimate consumer harm for restitution purposes.
  • Supervisory Authority: The bureau has examination authority over several of its regulated entities. Covered institutions include banks with more than $10 billion in assets (and their affiliates), mortgage companies, payday and private student lenders, and “larger participants” in the consumer financial market, as defined by rulemaking. This comprehensive power grants the bureau broad, on-site access to the books and records of the supervised institutions. Bureau supervisory staff can direct supervised institutions to change data security practices through the supervisory process, or they can refer suspected violations to the CFPB's enforcement division. By contrast, the FTC is generally limited to issuing civil investigative demands (CIDs) to investigate companies, and the CFPB has its own CID authority in addition to its supervisory powers.
  • Rulemaking Authority: The bureau can write UDAAP regulations under standard administrative notice-and-comment procedures, while the FTC's Section 5 rulemaking authority is subject to significant procedural hurdles. Before now, the bureau had given virtually no public guidance on data security. While the bureau to date has preferred to define UDAAP practices through enforcement rather than prospective rulemaking, it could bring much-needed transparency to its data security expectations by clarifying, through a notice-and-comment process, what data security practices and safeguards are required to avoid UDAAP violations.
  • Covered Persons: The CFPB's UDAAP authority applies only to covered persons (and their service providers) to the extent they offer a “consumer financial product or service.” While most financial institution activities are included in the definition of “consumer financial product,” some activities (e.g., securities and the business of insurance) are expressly exempt, and other companies have argued that they are not covered by this term. The FTC's Section 5 authority applies broadly to nonbanks regardless of whether they are subject to CFPB UDAAP jurisdiction.


The CFPB's Uncertain Data Security Role Going Forward

The bureau has made a modest entrance into data security enforcement. Like the FTC, the bureau appears to be comfortable policing data security through its authority to address unfair and deceptive practices. But unlike the FTC, the bureau has not articulated which practices are “reasonable” or “industry standard,” even though it has now demonstrated a willingness to conduct enforcement for violations of its data security expectations. This leaves regulated entities in the difficult position of knowing that the bureau has data security expectations, but not knowing what those expectations are or what steps companies should take to avoid enforcement.

The bureau has several tools at its disposal should it choose to become more active on data security. It could use its unique UDAAP rulemaking authority to promulgate detailed regulations requiring specific data security measures. Unlike the FTC, the bureau could assert this UDAAP authority against banks to mandate data security protections that the federal banking regulators have not required. The CFPB might even assert that violations of the Safeguards Rule and Interagency Guidelines also constitute “unfair” or “deceptive” conduct, which could permit the bureau to take enforcement action for those violations.

The FTC's Safeguards Rule enforcement actions often allege that conduct violating the Safeguards Rule also violates Section 5 of the FTC Act, and the CFPB has taken a similarly expansive view of UDAAP in other contexts, e.g., in applying violations of the Fair Debt Collection Practices Act to original creditors. The bureau might decide to allege unfair conduct even where there is no data breach or evidence of consumer harm. It could claim that the LabMD decision holding otherwise applies to the FTC only, even though the standards both agencies use to define “unfair” conduct are essentially identical.

The bureau's latest action also brings to a head several questions about how, or whether, the CFPB will work with the other federal agencies enforcing data security practices. The bureau may be content with occasional enforcement actions that follow the FTC's existing Section 5 theories, or it may attempt to become the leading data security regulator for consumer financial products and services.

Bureau data security enforcement may renew calls for the CFPB to cooperate with the FTC, which has overlapping jurisdiction over unfair and deceptive practices. Thus far, the bureau has resisted calls for a formal, public division in enforcement authority with the FTC, despite reports that the two agencies seem to compete as much as they cooperate. Nor has either agency explained how certain cases end up with the bureau while substantially similar cases against similar companies are pursued by the FTC. Because the CFPB has far greater civil money penalty authority, companies targeted by the bureau for data security issues might face greater punishment than a similarly situated company investigated by the FTC.

The bureau's single enforcement action to date provides few hints as to how often the agency will pursue data security regulation or enforcement. Absent further guidance from the bureau, it is too soon to tell whether the CFPB will merely supplement the data security oversight of the FTC and federal banking agencies, or whether it will break with those other regulators and pursue its own data security agenda.