This particular safeguard, which I've cited to you, comes out of the Gramm-Leach-Bliley Act in the United States, which requires financial institutions to take due care with regard to customers' personal financial information. That's the source of their jurisdiction, in this particular case. They also have general jurisdiction under the Federal Trade Commission Act to protect consumers. I think section 5 is the right section. So they use both of those.
I know they've had a couple of prosecutions under the section 5 power of businesses after a breach.