Apparently, the old cliché about “the more the merrier” applies to the Federal government’s efforts to regulate date security. The Graham Leach Bliley Act addresses the issue in the financial services arena, just as HIPAA deals with it in the health care world. In addition, the Federal Trade Commission has been hyper active in the field over the last few years. More recently, the Federal Communications Commission has flexed its muscles with broadcasters who collect personal information. The newest entrant, however, is the federal Consumer Financial Protection Bureau. That agency has the authority to enforce the data security provisions of the Consumer Financial Protection Act of 2010 (CFPA).
The first recipient of the CFPB’s regulatory oversight is a company called Dwolla, Inc. Dwolla offered consumers an online payment service. Consumers who subscribed to Dwolla could make payments to other consumers or merchants. To subscribe to Dwolla, customers had to submit names, addresses, social security numbers and bank account information. This is of course the Holy Grail for identity thieves. Dwolla started business in 2009. By mid-2015, it had 653,000 members and typically transferred up to $5,000,000 per day.
According to its Web site and other sales materials, Dwolla protected the personal information it gathered in a manner that “exceed[ed] and surpass[ed] industry standards.” It “set a new precedent for the industry for safety and security.” But according to the CFPB, Dwolla’s practices didn’t quite match the hype. Dwolla did not encrypt all of the information it gathered. Moreover, its practices did not meet standards set by the Payment Card Industry Security Standards. The CFPB found a number of other deficiencies. And all of that added up to violations of the CFPA.
Dwolla opted to enter into a Consent Order with the CFPB. Among other things, the Consent Order requires Dwolla to bring its data security practices up to standards approved by the CFPB and submit to annual audits by an independent third party. Dwolla also agreed to pay a civil penalty of $100,000. The obligations imposed by the Consent Order will remain in place for five years, and during that period reports and other records must be available to the CFPB upon request.
The teaching moment offered here is that there are an increasing number of eyeballs on your company’s data security practices. And if you want to avoid those eyeballs staring at you, consider taking a good look at what you’re doing, not doing and maybe most of all PROMISING to do. I’m not sure what’s worse – a six figure fine or a five year relationship with a federal agency. Either way, don’t put yourself in a position to find out.