First Bureau Data Security Enforcement Action Taken Against Dwolla
The Consumer Financial Protection Bureau (CFPB) announced a consent order (finalized on February 27, 2016) against Dwolla, Inc., an online payments platform, for deceptive acts relating to its data security practices. The enforcement action is the CFPB's first foray into regulating the data security practices of consumer financial service companies, an enforcement area where the Federal Trade Commission (FTC) has typically been more active in recent years.1
Dwolla provides an online payments platform that allows consumers to transfer funds from their Dwolla account to the Dwolla account of another consumer or merchant. Consumers can make transfers using funds pre-loaded to their Dwolla account or from a personal bank account linked to their Dwolla account. To become a member and open an account with Dwolla, a consumer must provide their name, address, date of birth, telephone number, and social security number, as well as their bank account and routing numbers if they will transfer funds by linking their bank account. As of May 2015, Dwolla had approximately 653,000 members and transferred as much as $5,000,000 per day.
According to the CFPB, during the period from January 2011 to March 2014, Dwolla made various representations to consumers about the safety and security of transactions on its platform. Dwolla stated that its data security practices "exceed industry standards," that it encrypts all information received from consumers, and that it complied with standards promulgated by the Payment Card Industry Security Standards Council (PCI-DSS). Notwithstanding these representations, the CFPB alleged that Dwolla had not adopted and implemented appropriate written data security policies and procedures, did not encrypt sensitive consumer information in all instances, and was not PCI-DSS compliant. According to the CFPB, Dwolla's inaccurate representations constituted deceptive acts and practices in violation of the Consumer Financial Protection Act of 2010. Under the consent order, Dwolla must pay a $100,000 fine and take certain steps to improve its data security practices.
Companies within the CFPB's jurisdiction should take note of the consent order's specific allegations with regard to perceived deficiencies in Dwolla's practices. This section of the consent order, paragraphs 28 to 48, provides useful guidance on the CFPB's expectations in the following areas:
- Data Security Policies and Procedures: Companies should adopt and implement reasonable and appropriate written data security policies governing the collection, maintenance, and storage of consumer personal information.
- Risk Assessments: Companies should conduct regular risk assessments to identify reasonably foreseeable internal and external risks to consumer's personal information and assess safeguards designed to protect that information.
- Employee Training: Companies should train their employees on their responsibilities with regard to handling and protecting consumer personal information.
- Encryption: Companies should employ relevant industry standards for data encryption, such as PCI-DSS for payments companies. Sensitive information should not be communicated to or from the company by clear text in emails.
- Software Testing: Companies should conduct appropriate risk assessments and penetration tests on new software products prior to releasing them to consumers.
Consumer financial services companies and their service providers should also take note of the CFPB's specific line of reasoning in the Dwolla case. The CFPB does not allege anywhere in the consent order that Dwolla's data security practices led to a data breach or any other specific consumer harm. Nor does the CFPB invoke any specific statute that would provide it direct authority over data security practices. Instead, the CFPB pursued Dwolla under its general authority to prevent unfair, deceptive, and abusive acts and practices based on Dwolla's alleged misrepresentations. In other words, the absence of a specific breach incident or governing data security statute is not sufficient to shield a company from CFPB enforcement. Further, the CFPB's argument here is very similar to the approach the FTC has taken under its own authority to prevent unfair and deceptive practices, but, unlike the FTC, the CFPB has the authority to impose civil monetary penalties as part of an initial enforcement action.
As the Dwolla case is likely an indication that the CFPB will become more active in data security-related enforcement actions, companies subject to CFPB jurisdiction should take this opportunity to review both their data security practices and any representations made to consumers about those practices.