This week, the CFPB made its first foray into the data privacy arena by entering into a Consent Order with online payment processor, Dwolla. Inc. via an administrative proceeding. The Consent Order sends a clear message across the consumer financial services arena that the CFPB will use its UDAAP umbrella to extend its reach and that no consumer harm is required for the CFPB to flex its muscle.
According to the CFPB, it took action because Dwolla “deceived consumers about its data security practices and the safety of its online payment system.” Without admitting any wrongdoing, the Consent Order includes findings that Dwolla collected and stored consumers’ private information and provided a platform for financial transactions. According to the findings, Dwolla represented that it maintained “reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.” However, the CFPB concluded that Dwolla in fact did not take reasonable and appropriate measured to protect consumer data. Specifically, the Order finds that, among other things:
- For a significant period of time, Dwolla did not adopt or implement reasonable and appropriate data-security policies and procedures to govern the collection, maintenance or storage of consumers’ personal information;
- For a significant period of time, Dwolla failed to conduct adequate regular risk assessments to identify reasonably foreseeable internal and external risks to information and to assess the safeguards in place to control these risks;
- For a significant period of time, Dwolla did not provide adequate employee training as to the handling and protection of consumers’ personal information;
- For a significant period of time, Dwolla transmitted consumers’ personal information without encrypting it; and
- For a significant period of time, Dwolla did not adequately manage its vendors as to data security.
Pursuant to the Consent Order, Dwolla is required, to the extent it has not done so already:
- Accurately represent in its marketing, advertising, promotion or administration of its electronic payment networks the data security practices implemented by Dwolla;
- Implement a comprehensive Written Information Security Plan which mirrors the requirements of GLBA’s Safeguard Rules and which:
- Designates a qualified person to coordinate its data security program;
- Identifies reasonably foreseeable internal and external risks to the security and confidentiality of consumer nonpublic information and assess the sufficiency of the institution’s safeguard in place to control those risks, including risks in areas of operation specifically:
- Employee training and management; and
- Confidentiality and integrity of Dwolla’s network systems or apps and storage systems;
- Implement safeguards to manage the identified risks and regularly test and monitor risks;
- Develop, implement and maintain reasonable procedures for the selection and retention of service vendors capable of maintaining security practices consistent with the Consent Order; and
- Evaluate and adjust the data security program in light of the results of the risk assessments and monitoring.
- Retain a third party independent auditor to conduct an annual data-security audit of Dwolla’s data security practices; and
- Pay a civil monetary penalty of $100,000.00.
Several things make this order significant and banks and nonbanks alike should take note:
- Prior to this action, there had been no indication by the CFPB, either through its website or other publications, that it was focused on data security leading many to assume they would defer to the FTC and other regulators on issues of data privacy;
- Gramm Leach Bliley and its Safeguard Rules (which provide for the protection of consumer nonpublic information by financial service providers) are not among the enumerated consumer protection statutes over which the CFPB has jurisdiction;
- The Consent Order reflects the CFPB’s position that its UDAAP (unfair and deceptive acts) umbrella liability is expansive enough to take on data security issues; and
- The Consent Order makes no finding of a data breach or some other sort of consumer or injury.
Banks and nonbanks alike should pay close attention to the Dwolla Order and expect to see the CFPB continue take expansive views of its authority to regulate.