Cybersecurity and Data Privacy: CFPB Takes Unprecedented Action Against Company

March 6, 2016

By: Clifford G. Tsan and Michael D. Billok

A new regulatory authority has entered the field of data security: the relatively new Consumer Financial Protection Board (CFPB). On March 2, the CFPB announced that it had reached a consent order with an Iowa-based company as a result of that company’s data security practices. The circumstances giving rise to this consent order were unique, especially given that no consumer data was actually exposed. In fact, no data breach even occurred.

Instead, the CFPB brought charges against the company solely because it found that the company’s representations about its security measures were false. Specifically, the company had represented in advertisements and elsewhere that its security practices "set[] a new precedent for the industry for safety and security", and that consumer data was "securely encrypted and stored" in a "bank-level hosting and security environment." It also represented that its security procedures were "PCI compliant." In reality, the security procedures fell well short of industry standards, did not encrypt consumer data, and were not PCI compliant.

Pursuant to the consent order, the company agreed to pay a $100,000 fine, conduct security audits, and to adjust its security practices going forward. Further still, the consent order took the unprecedented step of requiring the company’s board of directors to monitor and bear ultimate responsibility for the company’s compliance going forward.

This consent order is a strong example of the CFPB’s rapidly increasing use of its so-called ‘deception authority.’ The take away is a significant one: a company may end up in the regulatory crosshairs of the CFPB for deceptive practices related to data security even if no data breach actually occurs. In light of this recent development, companies would be well-advised to make sure that any representations they make about their data security practices are precise and entirely accurate going forward.

A full version of the consent order can be accessed at

For more information, please contact Clifford G. Tsan, Michael D. Billok, Lisa A. Christensen or Christopher J. Stevens.

Clifford G. Tsan

Michael D. Billok