The Consumer Financial Protection Bureau (CFPB) burst onto the scene almost a half dozen years ago, wielding broad new powers on a mission to protect consumers of financial goods and services. The CFPB has aggressively used its authority to remake the federal consumer financial protection scheme, to the delight of some and to the dismay of others.
But few realize that the CFPB could have used its power to drastically reshape data security practices at financial firms. Yet it never has. Few are aware that the CFPB is a sleeping giant on data security.
Congress has never assigned the CFPB any specific responsibility for data security. With the passage of the Dodd-Frank Act, Congress did not transfer to the CFPB the authority to enforce the data security and identity theft requirements of the Gramm Leach Bliley Act and the Fair Credit Reporting Act. The Federal Trade Commission (FTC) retained the authority to enforce these requirements.
That said, much of the development of data security law has come not through enforcing these statutes but through the FTC’s application of the general prohibitions on unfairness and deception in the Federal Trade Commission Act.
Over the years, the FTC has brought forward more than 60 cases that allege companies are engaged in deception or unfairness by failing to implement reasonable safeguards for the consumer data they maintain. These FTC cases have established what many consider to be the backbone of data security law in the United States.
Under the Dodd-Frank Act, however, the CFPB also has the authority to address unfair and deceptive acts and practices. If the CFPB were to follow the example of the FTC, the CFPB could use its authority to develop data security standards for the financial firms within its jurisdiction.
Nevertheless, the CFPB’s sole foray into data security has been a single case earlier this year alleging that Dwolla, an online payment platform, violated the Dodd-Frank Act by making deceptive claims to consumers about its data security practices and the safety of its online payment system.
Given its aggressive assertion of authority on a slew of other topics, it is odd that the CFPB has chosen not to exercise its broad powers over data security. It may be because the CFPB has chosen to accept Congressional intent or has deferred to FTC experience and expertise. It may also be because the CFPB has been so preoccupied in its own assertion of authority elsewhere that it has not had the resources or the time to focus on data security.
Whether by design or default, keeping the FTC (not the CFPB) in the lead on data security makes sense. The FTC has substantial data security expertise through many years of enforcement, rulemaking and policy development work, which is critical given the complexity of many data security matters.
Industry relies on FTC guidance, like the business guide the agency issued as part of its Start with Security initiative, which helps companies decide what practices and procedures they need to adopt. Consumers also rely on the FTC’s programs as a resource. Adding an active CFPB to the data security mix would increase the risk of duplication and conflicting standards when what financial firms need most is clarity.
When new leadership appointed by Donald TrumpDonald TrumpOvernight Defense & National Security — The Pentagon's deadly mistake Overnight Energy & Environment — Presented by Climate Power — Interior returns BLM HQ to Washington France pulls ambassadors to US, Australia in protest of submarine deal MORE arrives at the CFPB, I anticipate they will change the CFPB’s priorities and agenda in many ways. However, the new leaders should not change the CFPB’s somnolent role on data security.
The FTC should be the principal agency establishing data security standards for companies, with the CFPB acting only if it has authority over firms, such as banks, and the FTC does not. Let’s not wake this sleeping giant.
Thomas B. Pahl served as a managing counsel at the Consumer Financial Protection Bureau during the Obama administration. He spent more than 20 years working on financial services and consumer protection issues at the Federal Trade Commission and is now a partner in Arnall Golden Gregory’s privacy and consumer regulatory practice in Washington.
The views of Contributors are their own and are not the views of The Hill.