On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) took its first-ever data security enforcement action, in the form of a Consent Order entered between CFPB and Dwolla.  Des Moines, Iowa-based Dwolla was founded in 2009 and is an online payment platform that allows consumers to transfer money.  To use the service, customers must provide Dwolla with sensitive personal information including their name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, usernames, passwords and four-digit PINs.  CFPB stated that as of May 2015, Dwolla had approximately 653,000 users and was processing payments aggregating as much as $5 million a day.

In the Consent Order, CFPB states that Dwolla misrepresented its data security practices and engaged in deceptive practices relating to consumer financial products and services, in violation of the Consumer Financial Protection Act of 2010 (“CFPA”) sections 12 U.S.C. 5531(a) and 5536(a)(1).

The Consent Order states that Dwolla made numerous representations concerning its data security practices, including:

  • that its network and transactions were “safe” and “secure.”
  • that Dwolla transactions were “safer [than credit cards] and less of a liability for both consumers and merchants.”
  • that Dwolla ’s data-security practices “exceed industry standards,” or “surpass industry security standards”;
  • that Dwolla “sets a new precedent for the industry for safety and security”; stores consumer information “in a bank-level hosting and security environment”; and encrypts data “utilizing the same standards required by the federal government.”
  • that “All information is securely encrypted and stored” using “industry standard encryption technology”
  • that Dwolla “encrypt[s] data in transit and at rest”;
  • that “Dwolla’s website, mobile applications, connection to financial institutions, back end, and even APIs use the latest encryption and secure connections”; and
  • that Dwolla is “PCI compliant”.

In the Consent Order, CFPB states that, contrary to those representations:

  • Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
  • Dwolla’s data-security practices did not “surpass” or “exceed” industry standards.
  • Dwolla did not encrypt all sensitive consumer information in its possession at rest.
  • Dwolla’s transactions, servers, and data centers were not PCI compliant

Specifically, CFPB found that Dwolla had no security policies or procedures in place at all until at least September 2012, did not even have a written data security plan until October 2013, four years after beginning operations, and failed to conduct either data security training or an adequate internal risk assessment until mid-2014 despite horribly failing a penetration test in December 2012.

CFPB further found that Dwolla regularly transmitted unencrypted PII such as names, addresses, SSNs, account numbers, and PINs, and pictures of members’ drivers’ licenses, social security cards and utility bills.  In addition, the Consent Order states that Dwolla regularly encouraged members to transmit their sensitive PII to Dwolla in the clear in order to expedite registration.

Dwolla stipulated to the Consent Order, without admitting any of the CFPB’s allegations.  However, Dwolla agreed to pay a $100,000 fine to resolve the matter.  Further, the Consent Order requires that Dwolla:

  • not misrepresent its data security practices;
  • implement comprehensive written data security measures and policies, including a program of periodic risk assessments and independent audits;
  • train its employees;
  • fix any security weaknesses identified through the risk assessments and audits;
  • securely store and transmit information.

Further, the order specifically obligates Dwolla’s Board to develop a compliance plan, subject to review and revision by CFPB, and to assume “ultimate responsibility” for Dwolla’s compliance with data security and privacy.

Notably, in its own statement concerning the matter, Dwolla represents that they have never “detected any evidence or indicators of a data breach, nor … received a notification or complaint of such an event.”  It is unclear how Dwolla became a target for regulatory action by CFPB in this case.

This case demonstrates that companies making claims of outstanding data privacy and security may face more robust regulatory scrutiny, and that a data breach incident is not a prerequisite for serious regulatory enforcement action.  Recent FTC data privacy and security actions have also apparently come independent of any data breach incident, and the SEC has warned that increased security and privacy enforcement is coming.  The general trend appears to be an increase in regulatory oversight and action in the sphere of data security and privacy.  Companies should re-evaluate their privacy and data security policies and programs in light of this trend.  In particular, companies without written data security and privacy policies and programs should evaluate the risks of continuing without such a program in place.