WASHINGTON—Is the CFPB’s oversight reach now extending to data security?
According to a report by Bloomberg, that may well be the case.
Bloomberg reported that the CFPB announced its intention to act as a data security regulator by releasing its first unfair, deceptive or abusive acts or practices (UDAAP) enforcement action for allegedly deceptive statements about data security practices, after remaining largely silent on the topic for more than four years.
The CFPB’s enforcement action, against a small payments company, contains only a modest civil money penalty and does not require payments to customers, Bloomberg noted.
“The language in the Bureau’s action suggests that it expects regulated companies to implement certain data security processes and that it may take further enforcement action in the area of data security,” Bloomberg said.