The Consumer Financial Protection Bureau has levied its first fine for data security breaches against online payments start-up Dwolla. The CFPB alleges that in its early years, Dwolla duped consumers into thinking its security practices met or exceeded industry standards. (The Payment Card Industry Data Security Standard in particular.) In reality, according to the CFPB, Dwolla failed to implement a written data security policy or to conduct adequate training of its employees. Training wasn’t mandatory until mid-2014, almost two years after a 2012 test showed that a staggering number of Dwolla employees were conned by a phishing email into exposing the company’s systems. Dwolla also failed to encrypt sensitive consumer information and didn’t test its software for security flaws before deployment.
In many ways, the Dwolla consent order follows the FTC’s post-Wyndham playbook. The CFPB is faulting the company for deceptive consumer practices rather than security failings themselves. Dwolla will pay a $100,000 fine and has agreed to a variety of forward-looking provisions, such as fixing known security flaws and improving training. In addition, Dwolla has agreed to an “obey the law” clause. Following these controversial clauses is of course no small feat, particularly in cases like this: The law in question is extraordinarily vague, prohibiting nothing less than all “unfair, deceptive, or abusive act[s] or practice[s]”.