Brian Knight
Associate Director, Financial Policy, Center for Financial Markets
Banking and Business and Capital Access and Capital Markets and Finance and Financial Innovations and FinTech and Global Economy and Job Creation and Public Policy and Regulation and U.S. Economy
Brian Knight is an attorney with significant experience in new sources of capital, financial technology, and entrepreneurial issues. He is interested in the interplay between technological, regulatory, and market innovation and how best to improve access to capital for businesses of all sizes.
read bio

A Tale of Two Cybersecurity Enforcement Actions

By: Brian Knight
March 08, 2016

The CFPB’s enforcement action will no doubt make waves across the FinTech spectrum. For one, it becomes another data point in the “FinTechs are under-regulated/FinTechs are adequately regulated” debate waged by the likes of The Clearing House, a bank industry group that put out a whitepaper arguing directly that non-bank FinTech firms were under-regulated with regard to data security, and the Electronic Transactions Association and Financial Innovation Now (FIN), which tend to view FinTech as adequately regulated. Both sides have something to like: Team Under-regulated can point to a FinTech that (allegedly) had inadequate data security, while Team Adequately-regulated can argue that Dwolla is, well, getting regulated, a point FIN’s Brian Peters made on Twitter after the order was announced. Dwolla acknowledges that it is subject to Dodd-Frank and the CFPB’s jurisdiction, so what’s the problem? Of course this isn’t going to solve the “Is FinTech sufficiently regulated?” debate, but it provides another data point.

Who and Why Matters

Another interesting point is who is doing the regulating and why it was being done. Traditionally it is the Federal Trade Commission that handles consumer data protection issues, so the CFPB’s stepping in may reflect a budding turf war between the agencies. Likewise, it may be relevant that the CFPB grounded its action in the “deceptive” prong of its authority under Dodd-Frank, based on Dwolla’s alleged misrepresentation of its data security to potential customers.

Compare this to the Federal Trade Commission’s (FTC) recent and controversial enforcement action against Wyndham Hotels. In that case, Wyndham allegedly had inadequate cybersecurity procedures and capabilities, which unlike Dwolla, did result in several breaches and the compromise of thousands of consumer files. While the FTC also alleged that Wyndham misrepresented its procedures and capabilities to potential consumers, it also claimed that Wyndham’s cybersecurity procedures were an “unfair” trade practice. The deception claim seems fairly straightforward: if Wyndham claimed it used certain methods (e.g. encryption) and in fact it didn’t, that seems to be deceptive. An unfairness claim that derives from the deception is also fairly uncontroversial, since it isn’t fair to lie to a consumer about security practices, preventing them from protecting themselves by using a different, more secure vendor.

However, what is potentially controversial about the FTC’s unfairness claim is it contemplates a situation where, absent any deception, poor cyber security may be unfair in and of itself. That possibility is part of why Wyndham contested the FTC’s jurisdiction to regulate its cybersecurity processes (not including the deception issue), but the Third Circuit Court of Appeals ruled that, at least in theory, the FTC could find sufficiently inadequate cybersecurity an unfair trade practice under the Federal Trade Commission Act.


Unfair, Deceptive, What’s The Difference?

So, why does it matter whether the regulator uses unfairness or deception to justify its enforcement? Because of predictability. There is no codified standard or requirement in U.S. law regarding general cyber security requirements, and both the FTC and CFPB have broad grants of authority by design. While this principles-based regulation (the principles being “don’t deceive customers, and don’t be unfair”) is flexible and adaptable (good), it may also lead to unpredictability as to what companies must do—and more “regulation by enforcement,” as the evolving standards of what is and is not unfair, needs to be tested by adjudication (bad).

A company is presumably in the best position to know what type of cybersecurity process and capability it has and what it tells consumers, and as such should know, or at least have a very good idea, whether it is being deceptive. And in deceptive determinations in court, the devil may be in the details, especially if the representations to customers were less precise and more puffery (it is easy to tell if someone uses encryption, harder to determine whether security is “great”) and the company is still choosing to describe its security in a certain way and has significant control.

That said, establishing a standard to determine whether cybersecurity is inherently unfair, absent deception, is more challenging. While Wyndham allegedly had terrible security and multiple breaches, which the court says should have put the company on notice that its security was objectively insufficient, it remains an open question where the line between suboptimal and unfair security lies. After all, unlike deception, where the company is an active participant, the objective quality of a security system will depend in part on how adept the criminals trying to penetrate it are. There is a potential risk that a company may find itself subject to enforcement because, in the cold light of dawn after a major breach, its system was considered unfairly inadequate even if it didn’t deceive its customers.

Now, an unfairness determination is subject to a cost-benefit analysis, and the FTC has published some non-binding guidance for companies on cybersecurity matters. The alleged circumstances in Wyndham are damning, so it is doubtful that the regulators are going to pounce on every company that forgets to update its anti-virus software once. However, this ruling increases regulatory uncertainty and the potential for regulators to second guess companies. This could cause companies to overinvest in cybersecurity (yes, it is possible) at the expense of other needs. For example, it remains unclear what the standard for “unfairness” is. Is it negligence? Recklessness? Does it require a bad act or failure to act? Companies may not be able to determine where the line is and predict when they have crossed it.

So What Does It Mean?               

The CFPB and FTC enforcement actions are not identical. They involve different facts and rely (at least in part) on different grounds. They may also reflect different enforcement philosophies, with the CFPB focused on what companies are communicating to consumers, while the FTC is willing to look at underlying business practices. However, what is clear is that cybersecurity currently resides in a “regulation by enforcement” environment. As such, FinTech firms must be mindful of their cybersecurity practices and representations. Meanwhile, I urge all stakeholders, including Congress, regulators, market participants, and consumers to consider whether this is an optimal method of regulation—or if some changes, be they legislative, regulatory, or process oriented, are in order.