On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.
In the consent order, the CFPB alleges that Dwolla mispresented that it “employ[ed] reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and that its network and transactions were “safe,” “secure” and compliant with the standards set forth by the PCI Security Standards Council. Specifically, the CFPB found that Dwolla failed to:
- adopt and implement data security policies and procedures reasonable and appropriate for the organization;
- use appropriate measures to identify reasonably foreseeable security risks;
- ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
- use encryption technologies to properly safeguard sensitive consumer information; and
- practice secure software development, particularly with regard to consumer-facing applications developed on an affiliated website, Dwollalabs.com.
In addition to the $100,000 fine, Dwolla was ordered, for the next five years, to adopt and implement reasonable and appropriate data security measures to protect consumers’ personal information on its networks and applications, including:
- implementing a comprehensive data security plan reasonably designed to protect the confidentiality, integrity and availability of sensitive consumer information;
- conducting semiannual data security risk assessments;
- conducting regular, mandatory employee training on (1) data security policies and procedures, (2) the safe handling of consumer’s sensitive personal information, and (3) secure software design, development and testing;
- obtaining an annual data security audit from an independent, qualified third party, using procedures and standards generally accepted in the profession; and
- implementing reasonable procedures for the selection and retention of service providers capable of maintaining security practices consistent with the consent order, and requiring service providers by contract to implement and maintain appropriate safeguards.