Here Come the Feds: DIGIT Act, CFPB No-Breach Enforcement Order a Sign of Things to Come

Federal regulators and legislators have been promising for some time now that additional, formal action would be coming on the Internet of Things (IoT) and in the realm of cybersecurity enforcement. Last week, both the United States Senate and the Consumer Financial Protection Bureau (CFPB) made good on those promises.

On the IoT front, a bipartisan group of Senators including Sens. Deb Fischer, R-Neb., Cory Booker, D-N.J., Kelly Ayotte, R-N.H., and Brian Schatz., D-Hawaii, introduced the Developing Innovation and Growing the Internet of Things Act, or the DIGIT Act.

nextgov on DIGIT ACT
“The DIGIT Act is one of many recent congressional actions related to the Internet of Things.”

According to news reports, the new bill introduced on March 1, “directs the Federal Communications Commission to report on the spectrum required to support the Internet of Things. It also proposes creating a working group, made up of public and private sector representatives, to advise Congress on planning for and encouraging the growth of that network as well as how the federal government can adopt the Internet of Things.” (Source:, Senators Introduce Another Internet of Things Bill, March 1, 2016 by Mohana Ravindranath).

“The bill proposes that the working group examine topics such as spectrum needs, federal technology grants, consumer protection, and privacy and security. The FCC study would address spectrum issues, such as the role of licensed and unlicensed spectrum in a highly connected world, according to the bill.” Id, emphasis added.

The findings and recommendations of both the FCC and the working group would be required to be submitted to the appropriate committees of Congress within one year of the bill’s enactment.  (Source: National Law Review, “Internet of Things Bill Introduced,” March 9, 2016).

On the cybersecurity side of things, this past week saw the first data security enforcement action from the Consumer Financial Protection Bureau (CFPB), a governmental agency created by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.

CFPB Dwolla enforcement action
“Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws.”

According to the CFPB press release accompanying its consent order, “The Consumer Financial Protection Bureau [ ] took action against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system. The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices.” (Source:, “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices,” March 2, 2016).

Although there was apparently no breach of Dwolla’s data security or systems, the CFPB nonetheless found that Dwolla had, “misrepresented its data-security practices by:

  •  falsely claiming its data security practices “exceed[ed]” or “surpass[ed]” industry security standards; and
  • falsely claiming its “information [was] securely encrypted and stored.” Id.

Both the bipartisan DIGIT Act and the CFPB’s no-breach enforcement action against Dwolla presage additional federal engagement on the Internet of Things and in corporate cybersecurity, more broadly. As a result, organizations of all shapes and sizes, for profit and not, are encouraged to actively monitor such developments and, more importantly, to continue to invest in robust cybersecurity efforts, including but not limited to employee training and vendor screening and management.