A few weeks ago the Consumer Financial Protection Bureau (CFPB) struck new ground when it entered into a consent order with online payment platform Dwolla. The CFPB found that Dwolla misrepresented its data security practices and the safety of its system. The CFPB ordered Dwolla to pay a $100,000 penalty and revise its internal practices.
This represents the first time that the CFPB has used its authority to prevent unfair, deceptive or abusive acts against a company’s data security practices. It is remarkable because the action was taken by the CFPB in the absence of any data breach. In other words, the fact that Dwolla’s representations about its security practices were inaccurate was enough to warrant the CFPB action.
The CFPB found that Dwolla falsely represented to its customers that its network was safe and secure, that Dwolla transactions were safer than credit cards, that Dwolla’s data security practices exceed industry standards, and that all information on the Dwolla platform is securely encrypted and stored.
In particular, the CFPB alleged that Dwolla:
- Failed to adopt appropriate data security policies for the collection and storage of consumer personal information,
- Failed to conduct adequate, regular risk assessments,
- Failed to train employees on responsibilities for handling and protecting consumer personal information, and
- Failed to encrypt consumer personal info, and required consumer information submission in clear text.
Further, Dwolla’s software development of apps was not tested for data security.
Dwolla was ordered to establish data security plans and policies, conduct data security risk assessments twice annually, conduct mandatory employee training on data security policies, develop security patches to fix vulnerabilities, develop customer identity authentication at the registration phase and before effecting a funds transfer, develop procedures to select service providers capable of maintaining security practices, and obtain an annual data security audit.
Two lessons come through loud and clear. First, companies should be very careful about statements made concerning the safety of its system and its security practices. All representations about such issues need to be validated by management to ensure accuracy. Second, the actions mandated by the CFPB, set forth in the paragraph immediately above, point to a new standard. This indicates the types of actions the CFPB will be looking for. Consider this guidance from the CFPB on security practices that should be adopted.
We recommend that all companies heed the lessons gleaned from the CFPB Dwolla action by: 1) reviewing representations to the public to be sure those representations are entirely accurate, and 2) auditing current practices to confirm compliance with the actions ordered by the CFPB.