On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service. The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices. The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.
The subject of the Consent Order is Dwolla, Inc., an online payment platform that allows members to transfer money to other members or merchants. The CFPB found that Dwolla made material misrepresentations to consumers concerning the “reasonableness and appropriateness” of the company’s data security practices. For example, Dwolla said its transactions were “safer [than credit cards],” and that its practices “exceeded” or “surpassed” industry security standards, complied with Payment Card Industry Security Standards, and “set a new precedent for the industry for safety and security.”
In fact, the CFPB found that Dwolla, among other things,
- failed to adopt reasonable and appropriate data-security policies and procedures, including a failure to have any written plan in place for approximately three years;
- did not conduct regular internal risk assessments to identify reasonably foreseeable risks to security;
- implemented little to no employee training on data security; and
- transmitted or stored sensitive consumer information without encrypting the data.
Based on these findings, the CFPB ordered Dwolla to implement a series of new policies and procedures to protect consumers’ personal information and fined the company $100,000.
The CFPB’s Order has several important implications for companies providing financial products or services to consumers. First, the CFPB joins the growing list of government agencies pursuing data security enforcement actions, including the Securities and Exchange Commission and Federal Trade Commission. Second, unlike most prior agency actions, the CFPB issued this Order in the absence of any reported or documented data breaches at Dwolla—potentially raising the stakes for companies that fail to implement reasonable and appropriate safeguards before a breach occurs and warning that a data breach is not a necessary precursor for agency involvement. Third, the CFPB’s focus on representations to consumers—and its assessment of Dwolla’s actual data security practices in light of those representations—underscores the importance of accurately describing actual data security practices to avoid misleading consumers.
Finally, the specific actions the CFPB ordered Dwolla to undertake provide some guidance regarding the kind of data security measures consumer financial companies might consider implementing to satisfy the CFPB. These include:
- conducting internal annual or bi-annual data-security risk assessments;
- engaging an independent, qualified third party to conduct an annual data security audit, prepare findings, and form a compliance plan to be reviewed by the company’s Board of Directors or others in management;
- maintaining reasonable procedures for oversight of the company’s third-party service providers, including software development;
- encrypting personal consumer data;
- conducting regular and mandatory employee training;
- developing and maintaining appropriate customer identity authentication; and
- implementing and updating security patches to fix vulnerabilities in web or mobile applications.