The Consumer Financial Protection Bureau (CFPB ) has taken its first UDAAP action against a consumer financial service provider related to data security practices. Since its launch in December 2009, Dwolla, Inc. ("Dwolla"), an online payment service company, has collected and stored consumers’ sensitive personal information while providing a platform for online financial transactions.

The CFPB found that from 2010 to 2014, Dwolla misrepresented to consumers that its network and transactions were "safe" and "secure," in violation of the Consumer Financial Protection Act’s prohibition on Unfair and Deceptive or Abusive Acts or Practices (UDAAP). Specifically, the CFPB found that Dwolla misrepresented on its website and in communications, that:

  • It employed "reasonable and appropriate measures to protect data obtained from consumers." Dwolla did not adopt or implement data security policies and procedures, or a written data security plan, until 2012 and 2013 respectively and did not conduct its first comprehensive risk assessment until mid-2014.
  • "100%" of its consumers’ information was "encrypted and stored securely." Dwolla did not, in all instances, encrypt consumers’ Social Security numbers, bank account information, names, addresses, 4-digit PINS, or digital images of driver’s licenses and Social Security cards.
  • Its data security practices "exceed" or "surpass" industry security standards. Dwolla did not conduct its first mandatory employee data security training until more than one year and a half after a penetration test demonstrated such training was needed.
  • Its transactions, servers and data centers were "safer than credit cards" and "PCI compliant." Dwolla’s transactions, servers and data centers were not compliant with standards issued by the Payment Card Industry (PCI) Security Standards Council.

A $100,000 civil money penalty was assessed against Dwolla and the company was ordered to stop misrepresenting its data security practices, fix those practices and train its employees. Dwolla consented to the order without admitting or denying the CFPB’s findings of fact or conclusions of law. However, on the day the order issued, Dwolla announced in a blog post on its website that it never detected any evidence or indicators of a data breach, or received a notification or complaint of such an event.

CFPB Director Richard Cordray said, "With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices." Considering the agency’s aggressive action and heavy reliance on the UDAAP in its enforcement orders, the Dwolla action signifies representations about data security are now on the CFPB’s radar as well.