For First Time Ever, Consumer Financial Protection Bureau Penalizes a Company over Misrepresentations of Data Security
The Consumer Financial Protection Bureau's penalty against Iowa-based payment processing startup, Dwolla, Inc. (Dwolla), is the first time the CFPB has issued a consent order against a company over data security. The agency alleges that Dwolla deceived consumers about its data security practices and the safety of its online payment systems. The company is subject to a $100,000 fine and must enact comprehensive security measures, including fixing current flaws in its systems and training employees.
In pursuing Dwolla for these representations, the CFPB is exercising its broad authority to regulate "unfair, deceptive, or abusive acts and practices," or UDAAP, under 12 U.S.C 5531 and 5536. The scope of UDAAP is vaguely defined by the statute, and branching into data security representations by consumer finance companies is a new angle for the CFPB. These representations don't relate to the consumer financial product itself and so raise questions about what other practices the CFPB may decide to pursue that are peripheral to the financial products it was created to regulate. UDAAP-based actions by the CFPB are significant, because in addition to the variety of forms of relief available under the statute, 12 U.S.C. 5565, the penalty for a knowing violation can be up to $1 million per day.
UDAAP principles also are linked to the same principles as state law unfair trade practice-type claims, and the CFPB's action suggests that data security representations like Dwolla's could be the basis for similar state law claims or enforcement actions by state regulators. As the penalty against Dwolla is the first of its type by the CFPB, the facts surrounding Dwolla's alleged misrepresentations are significant to understanding the decision of the agency.
Dwolla launched in December 2009 and is a payment network allowing consumers to register with the company to transfer funds to fellow Dwolla members. Funds for transfers come either from funds stored in the consumer's Dwolla account or from a personal bank account linked to the consumer's Dwolla account. To open an account, consumers submit information such as their name, address, date of birth, telephone number, Social Security number, and in some instances, bank account and routing information. Dwolla stores all of this personal information, and consumer funds are held in a single, pooled account with a federal and/or state-chartered bank. As of May 2015, the company had approximately 653,000 members and was making transfers of as much as $5 million per day.
Dwolla's direct communications to consumers, including language on its website, represented that its network was safe and secure. This language stated:
- Dwolla transactions are "safer [than credit cards] and less of a liability for both consumers and merchants";
- The company's data-security practices "exceed industry standards" or "surpass industry security standards";
- Dwolla stores consumer information "in a bank-level hosting and security environment"; and
- The company encrypts data "utilizing the same standards required by the federal government."
The company made additional representations regarding its encryption and data security measures, including stating that the company's transactions, servers, and data center were PCI-compliant. PCI, or Payment Card Industry, is a global organization, the council of which issues compliance standards adopted by the world's largest card networks.
The consent order maintains that Dwolla "in fact", failed to employ these security measures. The CFPB alleges that Dwolla misrepresented its data security in that the company failed to employ reasonable and appropriate measures to protect data obtained from consumers.
The consent order highlighted certain missteps by Dwolla. From the Company's launch until October 2013, it had not adopted a written data security plan, nor had it conducted regular risk assessments to identify reasonably foreseeable internal and external risks. The order also indicated the company did not encrypt some sensitive consumer personal information and failed to test applications for security before they were released to the public. The company also had not adequately trained its employees on data security, as the company held its first employee training in mid-2014, nearly two years after Dwolla hired an auditor to perform a phishing risk test on employees (the performance results of which were not shared with employees).
The CFPB asserts that Dwolla's security measures fell short of meeting its representations of data security practices, with such deception about security and security practices a violation of the Consumer Financial Protection Act.
The action against Dwolla lends a few cautionary lessons:
- The CFPB has given the public notice that it will regulate in data security enforcement. The agency's penalty is a warning to companies that not only operate in the same space as Dwolla (i.e., online payment companies storing collecting consumers' personal information) but also to companies that make representations (in direct communications, on a website or otherwise) about their data security measures.
- It's unclear whether the agency's decision hinges purely on the misrepresentations made by Dwolla, or, whether the order also implies a substantive requirement for companies to become PCI-compliant.
- The remediation actions Dwolla must take as a result of the penalty suggest measures that companies may also want to take to guard against risk of exposure. This includes:
- Adopt and implement reasonable and appropriate data-security measures to protect consumer personal information on networks and applications.
- Establish, implement and maintain a written comprehensive data security plan (including a program of risk assessments and audits).
- Train employees on the company's data security policies.
- Fix security weaknesses and securely store and transmit consumer data.
- Consider compliance certifications (such as PCI compliance) and annual data security audits.
The key takeaway is to also give careful consideration to this action from the CFPB and remain proactive in implementing risk assessments and protocols, particularly when representing data security measures to consumers.
For Further Information
If you would like further information regarding this matter, please contact David Katz or the other lawyers listed below, any members of our Privacy and Data Security or Consumer Financial Services Litigation practices, or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice.
For more information, please contact:
David Katz at firstname.lastname@example.org or 404.322.6122
Carmen Thomas at email@example.com or 803.255.9385
Bess Hinson at firstname.lastname@example.org or 803.255.5572
Will Gibbs at email@example.com or 864.250.2300
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.