Following in the footsteps of the Federal Trade Commission, the Consumer Financial Protection Bureau has brought its first enforcement action for alleged misrepresentations about a company's data security practices, imposing a $100,000 fine against an online payment system company.
Iowa-based Dwolla, Inc. operated an online payment system that by May 2016 had more than 650,000 users and transferred as much as $5 million per day. As part of its operations, the company collected and stored sensitive personal information including a user's name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, password, and unique 4-digit PIN.
From December 2010 until 2014, according to the CFPB's complaint, Dwolla claimed that its financial platform provided "safe" and "secure" transactions and that "anyone with an Internet connection" could "safely send money to friends or businesses." The company also assured consumers that it encrypted all sensitive personal information and that its security practices exceeded industry standards, achieving compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
Contrary to such claims, the Bureau alleged, the company failed to employ reasonable and appropriate measures to protect consumer data from unauthorized access, did not encrypt some of the sensitive consumer personal information it held, and released applications to the public before testing whether they were secure.
The company neither admitted nor denied the CFPB's charges but the consent order requires Dwolla to pay a $100,000 fine and stop misrepresenting its data security practices. Specifically, the company may not deceive consumers about the security of its online payment system and must enact comprehensive data security measures and policies, complete with a program of risk assessments and audits.
In addition, Dwolla needs to fix its security flaws, securely store and transmit consumer data, and properly train its employees on the company's data security policies and procedures, as well as how to protect the sensitive personal information provided by consumers.
The CFPB brought its first data security case pursuant to its power, under the Dodd-Frank Wall Street Reform and Consumer Protection Act, to take action against institutions engaged in unfair, deceptive, or abusive acts or practices, noting that the effort "builds off advances made by several other agencies."
"Consumers entrust digital payment companies with significant amounts of sensitive personal information," CFPB Director Richard Cordray said in a statement about the case. "With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices."
To read the consent order in In the Matter of Dwolla, Inc., click here.
Why it matters: The CFPB's enforcement action made headlines not for the allegations themselves or the amount of the fine but for the agency's expansion of its authority into the cybersecurity ecosystem and seeming encroachment on the FTC's turf. Over the last decade, the Commission has pursued more than 50 data security actions and has positioned itself as the federal agency policing such issues. With the CFPB asserting itself as an enforcer of cybersecurity, the action puts financial institutions and other entities under the Bureau's enforcement umbrella on notice to review their data security claims and practices. Importantly, the CFPB relied upon its authority to challenge unfair or deceptive acts and practices as no actual breach or compromise of consumer information gave rise to the action.