On March 2, 2016, the Consumer Financial Protection Bureau (Bureau) undertook its first data security enforcement action in a consent order against Dwolla, Inc., a payment network provider that allegedly made deceptive representations about its data security practices. Although in this matter the Bureau relied upon its authority to take action against “deceptive” practices, the consent order raises the prospect that the Bureau intends to provide regulatory oversight regarding the substantive adequacy of data security practices of covered persons in the future.

The Bureau asserted that Dwolla made a number of representations about the quality of its data security, including that it “sets a new precedent for the industry for safety and security,” that it was “PCI compliant” (referring to the Payment Card Industry Data Security Standard) and that it “encrypt[ed] data in transit and at rest.” The Bureau alleged that these statements were untrue because Dwolla “did not encrypt all sensitive consumer information in its possession at rest” and its “transactions, servers, and data centers were not PCI compliant.” The Bureau also claimed that Dwolla generally had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” including by failing to:

  • Use appropriate measures to identify reasonably foreseeable security risks;
  • Ensure that employees who had access to or handled consumer information received adequate training and guidance about security risks;
  • Use encryption technologies to properly safeguard sensitive consumer information; and
  • Practice secure software development.

The Bureau concluded that Dwolla’s alleged misrepresentations were “deceptive” within the meaning of the Dodd-Frank Act because they were likely to mislead consumers and were material to consumers’ decision to enroll in the company’s payment network.

The consent order requires Dwolla to pay $100,000 to the Bureau’s civil penalty fund. It also requires Dwolla to make a number of changes to its data security practices, including:  

  • Establishing and implementing a written, comprehensive data security plan that is reasonably designed to protect the confidentiality, integrity and availability of sensitive consumer information;
  • Designating a qualified person to coordinate and be accountable for the data security program;
  • Conducting data security risk assessments twice annually of each area of relevant operation;
  • Evaluating and adjusting the data security program in light of the risk assessments and monitoring required by the Bureau;
  • Conducting regular, mandatory employee training on data security, including on secure software development;
  • Developing, implementing and updating, as required, “security patches to fix any security vulnerabilities identified in any web or mobile application”;
  • Developing, implementing and maintaining “an appropriate method of customer identity authentication at the registration phase and before effecting a funds transfer”;
  • Developing, implementing and maintaining reasonable procedures for selecting and retaining service providers capable of maintaining security practices consistent with the order—and requiring service providers to do so by contract; and
  • Obtaining an annual independent data security audit.

Analysis

The Gramm-Leach-Bliley Act (GLBA) directed the Federal Trade Commission (FTC) and certain other financial regulators to promulgate regulations requiring financial institutions subject to their jurisdiction to adopt appropriate administrative, technical and physical information security controls. The regulations that the FTC and the other agencies issued under this authority are known as the “Safeguards Rules.” When Congress created the Bureau, however, it specifically provided in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) that the Bureau would have no authority to issue its own Safeguards Rule, or to enforce the Safeguards Rules issued by the other agencies. Significantly, however, the Dodd-Frank Act generally allows the Bureau to take action to prevent unfair, deceptive or abusive acts or practices (UDAAPs) in connection with the provision of consumer financial products or services.

The Bureau did not claim that Dwolla engaged in “unfair” or “abusive” practices by maintaining (what the Bureau alleged to be) substandard information security controls. Rather, the Bureau argued that Dwolla had deceived consumers by making exaggerated claims about the robustness of its data security program. While the Bureau predicated its action on Dwolla’s public representations, the remedies set forth in the consent order go beyond merely revising those claims. Rather, the consent decree imposes substantive obligations on Dwolla to improve its data security program.

This consent order is significant for other companies under the Bureau’s jurisdiction as the choice of remedies suggests that the Bureau may seek to impose substantive data security requirements on other consumer financial service providers. Even if another provider does not make claims about its data security program, the Bureau may seek to impose data security requirements pursuant to its UDAAP authority by arguing that having a deficient data security program is itself “unfair” or “abusive.”

The FTC has provided the Bureau with precedent for this approach. Like the Bureau, the FTC’s initial data security actions were based on allegations that the target misrepresented the extent of its data security practices. Over time, however, the FTC’s data security actions have increasingly relied on the FTC’s authority to police “unfair” practices.

It also is significant that the consent order requires Dwolla to pay a $100,000 civil money penalty. The FTC also has been very active in the data security space and has entered into similar consent orders with financial and non-financial companies. Unlike the Bureau, however, the FTC has limited authority to impose monetary penalties in these circumstances. When the FTC targets data security issues, its initial action generally only requires that the company agree to make changes to its practices and submit to periodic audits. The FTC can only impose civil money penalties if the company subsequently violates that initial consent order. By contrast, the Dodd-Frank Act allows the Bureau to impose civil money penalties in connection with the initial consent order, which substantially raises the stakes for companies subject to the Bureau’s jurisdiction.

The Bureau had hinted that it intended to engage on data security issues in prior actions, such as in its July 2015 statement of principles for consumer protection in faster payments systems. Its first enforcement action in this field now confirms that companies that offer or provide consumer financial services, as well as their service providers (within the meaning of the Dodd-Frank Act), will be subject to scrutiny by another regulator, as they continue to implement and refine their data security programs. Moreover, the enforcement action confirms that the Bureau is willing to bring a data security enforcement action even in the absence of any actual compromise of consumer data. Likewise, while the consent order formally focuses on deceptive conduct, its specific requirements for data security going forward suggest that the Bureau intends to weigh in on both how companies describe their data security practices and the adequacy of those data security practices.