In this article published in BNA's Banking Report, Michael Gordon, Elijah Alper and Leah Schloss examine the Consumer Financial Protection Bureau's foray into data security enforcement by assessing how the bureau's data security authority compares with that of other federal regulators. The authors analyze the bureau's first data security enforcement and highlight open questions regarding the CFPB's data security agenda.

The Consumer Financial Protection Bureau (CFPB) announced its intention to act as a data security regulator by releasing its first unfair, deceptive or abusive acts or practices (UDAAP) enforcement action for allegedly deceptive statements about data security practices after remaining largely silent on the topic for more than four years. The CFPB's March enforcement action, against a small payments company, contain only a modest civil money penalty and does not require payments to customers. The language in the bureau's action suggests that it expects regulated companies to implement certain data security processes and that it may take further enforcement action in the area of data security. Read the full article