On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security related enforcement action against online payment systems company Dwolla, Inc.
Dwolla, Inc., operates an online payment system that involves the collection and storage of consumers’ sensitive personal information, including names, addresses, dates of birth, telephone numbers, social security numbers, bank account and routing numbers, passwords, and a unique 4-digit PIN.
Dwolla, Inc., represented directly to consumers and on its website that:
- It protects consumers’ data from unauthorized access with “safe” and “secure” transactions;
- Its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard Compliant;
- It encrypted all sensitive consumer personal information; and
- Its mobile applications were safe and secure.
In its consent order, the CFPB alleges that Dwolla, Inc.’s claims about its data-security practices were false and deceptive and violated the Consumer Financial Protection Act and 12 U.S.C. §§ 5531(a), 5536(a)(1). Specifically, the CFPB alleges that Dwolla, Inc., misrepresented its data-security practices by:
- Falsely claiming its data security practices “exceeded” or “surpass” industry security standards when, in fact, Dwolla, Inc., allegedly failed to employ reasonable and appropriate measures to protect consumer data; and
- Falsely claiming its “information is securely encrypted and stored” when, in fact Dwolla, Inc., did not encrypt all consumer data.
The consent order requires Dwolla, Inc., to:
- Stop misrepresenting its data security practices;
- Enact comprehensive data security measures and policies, including a program of risk assessments and audits;
- Train employees on the company’s data security policies and procedures;
- Fix all security weaknesses found in its web and mobile applications; and
- Pay a $100,000 civil money penalty.
This enforcement action is significant, because it marks the CFPB’s first data-security related enforcement action. Given the increase in the number of recent data breaches, many regulators are beginning to emphasize the importance of data-security. The Dwolla, Inc., enforcement action should serve as a reminder to companies to ensure that they have developed and implemented thorough data security policies and procedures and that they are accurately advertising their data security practices to avoid or minimize future CFPB or other regulatory action. It is also important to remember that effective data security programs require policies and procedures that not only effectively protect consumers’ data, but also include a thorough response plan in the event a data breach occurs. For more information on what your company should consider in evaluating its cybersecurity preparedness, review Key Considerations for Financial Institutions’ Cybersecurity Preparedness (article begins on page 3).
You can view the CFPB’s Dwolla, Inc., consent order here: http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.
You can view the Key Considerations for Financial Institutions’ Cybersecurity Preparedness article here (article begins on page 3): file:///C:/Users/Zane/Downloads/Zane%20Gilmer%20January%202016%20Article.pdf.
ABOUT STINSON LEONARD STREET
Stinson Leonard Street LLP provides sophisticated transactional and litigation legal services to clients ranging from individuals and privately held enterprises to national and international public companies. As one of the 100 largest firms in the U.S., Stinson Leonard Street has offices in 14 cities, including Minneapolis, Mankato and St. Cloud, Minn.; Kansas City, St. Louis and Jefferson City, Mo.; Phoenix, Ariz.; Denver, Colo.; Washington, D.C.; Decatur, Ill.; Wichita and Overland Park, Kan.; Omaha, Neb.; and Bismarck, N.D.
Zane Gilmer is a member of the firm’s litigation practice group. His practice focuses on business litigation and compliance and he is a member of the firm’s CFPB taskforce. Zane works out of the firm’s Denver office and he can be reached at email@example.com or 303.376.8416.
The views expressed herein are the views of the blogger and not those of Stinson Leonard Street or any client.