The Consumer Financial Protection Bureau (CFPB) announced it will fine online payment platform Dwolla, Inc. $100,000 for deceiving customers about steps it takes to keep their data safe, the CFPB’s first data security-related legal action against a company.

The agency said that the Des Moines company misrepresented its data security practices from December 2010 to 2014 by failing to encrypt some personal consumer information. On its website, the company had stated that its security practices ensured personal data was "safe" and "secure," when Dwolla released applications to the public before testing whether they were secure, the agency said.

Though the Dodd-Frank Act granted the CFPB enforcement authority under UDAAP, industry lawyers suggested the action was another sign of overreach.

"It ups the ante and escalates the concern that companies have in this area of data security and data breaches," said Alan Kaplinsky, who leads the consumer financial services group at Ballard Spahr. "My belief until this action was that the CFPB was going to let the FTC handle this area."