On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) broke new ground (at least for the CFPB) when it released a consent order against Dwolla, Inc. (“Dwolla”), an online payment platform, regarding data security. While in many respects the data security “message” sent by the CFPB is not a new one (e.g., companies must live up to their data security promises), the consent order is particularly noteworthy because it represents the CFPB’s first formal foray into the data security area, an area where there has been some question as to the scope of the CFPB’s authority. This consent order clearly indicates the CFPB’s belief that the Consumer Financial Protection Act (“CFPA”) provides the agency with the authority to police data security practices in the financial space, utilizing its unfair, deceptive or abusive acts or practices (“UDAAP”) authority...