Earlier this month, the Consumer Financial Protection Bureau (CFPB) made headlines by bringing its first enforcement action in the data security space.  Dwolla, Inc., an Iowa-based online payment processor, was the CFPB’s target.  According to CFPB Director Richard Cordray, “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing.  It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

In order to set up an account and move money online, Dwolla customers provide Dwolla with sensitive personal information, including address, telephone number, social security number, and bank account and routing information. According to the consent order, Dwolla made a variety of misrepresentations about the manner in which it secured such information.  For instance, Dwolla falsely claimed that it encrypts all personal information and it also misrepresented that its data security procedures exceed industry standards.  To the contrary, the CFPB found that Dwolla did not encrypt all sensitive personal data and that it also “failed to employ reasonable and appropriate measures to protect data obtained from consumers.”  Pursuant to its authority to prohibit unfair, deceptive or abusive acts and practices, see 12 U.S.C. Code § 5536(a)(1), the CFPB consent order requires Dwolla to, among other things:

  • cease misrepresenting its data security practices;
  • adopt and implement reasonable and appropriate data security measures;
  • pay a $100,000 civil fine to the CFPB’s Civil Penalty Fund; and
  • meet various reporting and compliance monitoring requirements.

This enforcement action makes it clear that the CFPB is closely monitoring data security practices of companies that offer financial products and services.  It should also serve as a warning to any business that handles consumers’ personal and/or financial account information.  The following are some key takeaways:

  • Companies without strong written data security procedures should promptly review and implement appropriate data security protocols.
  • Companies should analyze their marketing materials to ensure that their data security representations align with their internal practices.
  • Even if a company hasn’t had a data security breach, it should still be mindful of the CFPB’s watchful eye.
  • Both the CFPB and the Federal Trade Commission (FTC) have authority and have now brought data security enforcement actions pursuant to their ability to prohibit unfair and deceptive acts.