On March 2, 2016, the CFPB issued its first enforcement action directed at an organization’s information security practices. Dwolla, Inc., an online payment network based in Des Moines, Iowa, entered into a Consent Order with the CFPB (“Consent Order”), which identifies “deceptive acts and practices relating to false representations” relating to the company’s data security practices in violation of UDAAP.
According to the CFPB, Dwolla falsely claimed its data security practices exceeded or surpassed industry security standards and that information was securely encrypted and stored, all in accordance with Payment Card Industry Data Security Standards. While the CFPB did not point to any specific breach of data security at Dwolla, the Consent order states that Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.”
CFPB Director Richard Cordray stated in a press release, “Consumers entrust digital payment companies with significant amounts of sensitive personal information. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
According to the press release, Dwolla collects and stores sensitive personal information of its customers in connection with providing an online platform to transfer funds, including names, addresses, dates of birth, telephone numbers, social security numbers, bank account and routing numbers, passwords and PIN numbers. The CFPB noted that as of May 2015, Dwolla had more than 650,000 users and had transferred as much as $5 million per day.
Pursuant to the Consent Order, Dwolla has agreed to pay a $100,000 civil money penalty, stop misrepresenting its data security practices, enact a comprehensive data security plan, train employees properly and conduct data security audits, among other requirements.
The CFPB’s action against Dwolla raises the stakes for financial organizations as they attempt to avoid what can be catastrophic reputational and financial costs of a breach of sensitive consumer data. The financial industry recognizes it is a prime target for data theft and must continuously work to stay ahead of data thieves. In addition to working to prevent a data breach, the CFPB has signaled that financial organizations—and particularly those operating online—must avoid over-promising on data security.
Organizations that routinely collect and store sensitive consumer identification and financial information should review customer agreements, promotional materials and other consumer-facing documentation to ensure the organization’s data security practices are consistent with representations made to consumers. Companies that promise consumer data is “safe” or “secure” may find themselves facing UDAAP claims if there is a data breach or financial regulators determine the company’s data security program is lacking.