On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc.  The five-year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.”  Dwolla neither admitted nor denied that it engaged in data security misrepresentations.  The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things.  The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors.

The basis for the CFPB’s action is the Dodd-Frank Wall Street Reform and Consumer Protection Act, which grants the CFPB authority to enforce against companies that engage in unfair, deceptive, or abusive acts or practices when offering consumer financial products or services.  The CFPB action follows well over a decade of Federal Trade Commission (FTC) data security enforcement under Section 5 of the FTC Act’s prohibition on unfair or deceptive trade practices.  The FTC has traditionally brought Section 5 data security enforcement actions against a wide array of companies after public data breaches or press reports of security vulnerabilities led to investigations. The proceeding against Dwolla is noteworthy not only because it is the first CFPB data security action, but because Dwolla does not appear to have been the subject of a publicly-reported data breach or publicity about security vulnerabilities.  The CFPB now joins the Federal Communications Commission as an agency that has only recently acted to enforce against companies for alleged data security shortcomings relating to consumer personal data.

In its action against Dwolla, the CFPB focuses on allegedly deceptive statements made to consumers regarding the safety and security of their sensitive financial and other personal information. The CFPB Consent Order notes that Dwolla had made affirmative representations to consumers — both on its website and in direct communication — that its network was safe and secure. In addition, Dwolla represented that its data security practices “exceeded industry standards,” that “[a]ll information [wa]s securely encrypted and stored” using “industry standard encryption technology,” and that Dwolla was “PCI compliant.” The Order identifies these and other, similar, statements as deceptive, noting that Dwolla, “[i]n fact,” failed to employ these security measures.

The CFPB alleges that Dwolla failed specifically with respect to the following:

  1. Data Security Policies and Procedures. Dwolla did not adopt or implement a written data security plan to govern the collection, maintenance or storage of the personal information of consumers, as would be reasonable and appropriate for the organization.
  2. Risk Assessments. Dwolla did not conduct adequate, regular risk assessments to identify reasonably foreseeable risks to the personal information of consumers or assess the safeguards that were in place to control those risks.
  3. Employee Training. Dwolla employees received little-to-no data security training in connection with the handling and protection of consumer personal information. And, when a third party auditor performed penetration testing of the website using phishing emails as a test and a large percentage of employees clicked on a bogus url, Dwolla did not address the results of the phishing test or educate its personnel on the dangers of phishing.
  4. Encryption. Although Dwolla represented that all information was encrypted, it did not use encryption technologies to properly safeguard sensitive consumer information and, in fact, stored, transmitted, or caused to be transmitted sensitive personal consumer information, such as Social Security numbers, without encryption. In addition, Dwolla encouraged the submission of sensitive information via email in clear text.
  5. Software Development. Dwolla did not practice secure software development. Dwolla employed a developer with no data security training.  Dwolla also failed to conduct risk assessments or penetration tests on the website run by the developer on which the Dwolla apps were published. Lastly, the developer failed to comply with Dwolla’s software development security practices and released applications prior to testing the security of such applications to ensure that consumer personal information was protected. 

To address these concerns, the Order provides that Dwolla must adopt and implement reasonable and appropriate data security measures to protect the personal information of consumers, including designating a qualified person to be accountable for the data security program; conducting bi-annual data security risk assessments; conducting regular, mandatory employee training on data security; developing and implementing appropriate methods of consumer authentication; and developing and implementing reasonable procedures for the selection of service providers, among other things. In addition, the Order provides that Dwolla must obtain an annual data security audit from an independent, qualified third party.

Notably, the Order requires the Dwolla board to ensure compliance with the Order and provides that the board will bear ultimate responsibility for Dwolla’s compliance. In connection with the board–level review, the Order requires that the board provide timely status reports regarding Dwolla’s compliance with the Order.  Dwolla’s obligations under the Consent Order last five years from the beginning of the Consent Order unless Dwolla violates it.

Many of the conduct requirements are similar to the FTC’s approach to Section 5 data security consent decrees although the shorter term is notable (FTC data security consent decrees frequently run 20 years) as is the CFPB’s broadening of obligations to the board of directors. The CFPB’s authority to impose a fine in the first instance also distinguishes it in this area from the FTC.

CFPB-regulated entities should take note of the Agency’s action and, in particular, the remediation requirements of the Dwolla consent decree, which indicate the CFPB’s expectations for corporate data security programs.