For the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.
The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true.
The CFPB’s action is a warning to financial institutions that they should not exaggerate their data security practices. It is easy for a marketing department to make statements about the strength of a company’s privacy and security, especially if competitors say similar things, because those are buzzwords consumers want to hear. And sales people may make certain claims to close a deal, even if those statements cannot be substantiated. The CFPB has indicated it will not sit back and wait for consumers to be harmed in a data breach, but will actively review companies’ data security practices and claims made about those practices, during examinations and otherwise.
Up until now, the FTC has been the primary data security regulator. The CFPB, relying on its authority to take action against financial institutions engaged in unfair, deceptive or abusive acts or practices, has now squarely asserted itself into this domain. The remedies imposed by the CFPB generally align with the FTC’s remedies, such as a monetary penalty, prohibition against making future misleading statements, and requirements to improve data security. However, the CFPB emphasized data security should be a priority for the board of directors and included a requirement that the board monitor, and bear the ultimate responsibility for, Dwolla’s compliance with the Consent Order.
The CFPB is an active regulator and will likely continue to make waves in the data security area. It will be interesting to see how the CFPB and FTC, along with other regulators such as the DOJ and state attorneys general, work together in policing data security going forward. Competition to be the toughest “cop” could lead to better consumer protection and positive press for the agencies; on the other hand, jurisdictional struggles could detract from those goals and waste time and money.