CFPB’s First Foray Into Data Security Makes $100,000 Splash
March 04, 2016
Thomas Brown and Molly Swartz
On March 2, the Consumer Financial Protection Bureau (the “Bureau”) announced enforcement action against online payment processor, Dwolla Inc. (“Dwolla”). This is the Bureau’s first enforcement action related to data security pursuant to its authority to prohibit unfair, deceptive, and abusive acts and practices (“UDAAP”). Finding that Dwolla had deceived consumers about its data security practices, the Bureau ordered Dwolla to pay $100,000 in civil penalties, to stop misrepresenting its data security practices, to train employees in data security polices, and to fix existing security flaws.
This action represents an extreme departure from previous Federal Trade Commission (“FTC”) actions involving unfair or deceptive claims. While the FTC has ordered companies to revise and restructure their existing data security programs, they have not imposed substantial financial penalties in the absence of consumer harm. In the FTC’s recent action against Wyndham Worldwide Corporation, for example, the FTC alleged that Wyndham’s security practices exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches. Wyndham’s practices compromised more than $10.6 million in fraud loss, and resulted in unreimbursed fraudulent charges, as well as lost access to funds or credit. In response, the FTC required the company to establish a comprehensive information security program to protect cardholder data, conduct annual information security audits, and to safeguard servers. Yet even though Wyndham’s practices resulted in tangible injury to consumers, the FTC did not levy any financial penalty.
In this case, the Bureau has not alleged that Dwolla harmed consumers in any way—there is no evidence that Dwolla’s platform was hacked or otherwise compromised. The Bureau did not allege that Dwolla users suffered a fraud loss or other financial injury, and yet, the Bureau assessed a significant $100,000 penalty. The assessment of this kind of penalty against a company for faulty data security practices in the absence of consumer harm signals an aggressive new standard for UDAAP enforcement action in the data security space. This level of policing may be particularly distressing to earlier stage companies who may not yet have fully vetted data security policies.
Dwolla provides an online payment network that allows a consumer to transfer funds from their Dwolla account or personal bank account to Dwolla accounts owned by others. Since 2009, Dwolla has collected and stored consumers’ sensitive information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN. From January 2011 until March 2014, Dwolla represented to consumers that its network and transactions were “safe and secure.” Among other statements, Dwolla claimed that its data security practices “exceed industry standards” or “surpass industry security standards” and that Dwolla “encrypt[ed] data in transit and at rest”. Dwolla further claimed that it was compliant with the Payment Card Industry (PCI) Security Standards Council standards.
In taking action against Dwolla, the Bureau found that Dwolla’s representations regarding its data security policies and procedures were inaccurate. In particular, Dwolla failed to:
Adopt or implement a written data security plan to govern the collection, maintenance or storage of consumers’ personal information;
Conduct regular risk assessments to identify potential risks to consumers’ personal information;
Ensure that employees who accessed or handled consumer information received adequate data security training. For example, the software developer leading one of Dwolla’s software development operations (“DwollaLabs”) had no data security training whatsoever;
Use encryption technologies to properly safeguard sensitive consumer information. In numerous instances, Dwolla stored, transmitted, or caused to be transmitted consumer personal information without encrypting that data. This unencrypted data included social security numbers and digital images of driver’s licenses; or
Practice secure software development. Although DwollaLabs created applications and released them to the public, Dwolla did not test the security of the apps, despite the fact that sensitive consumer data was stored on these apps.
Dwolla’s representations regarding its data security practices, the Bureau determined, were likely to mislead a reasonable consumer into believing that Dwolla had incorporated reasonable and appropriate data-security practices when it had not. Further, these representations were material because they were likely to affect a consumer’s choice or conduct regarding whether to become a member of Dwolla’s network. Accordingly, the Bureau determined that Dwolla’s practices constituted deceptive acts or practices in violation of the Consumer Financial Protection Act of 2010, 12 U.S.C. § 5531(a) and § 5536(a)(1)(B).
As noted above, this action represents the Bureau’s first foray into data security and a bold exercise of UDAAP authority. With a rise in data breaches and increasing consumer use of online payment systems, the enforcement action reflects the Bureau’s interest in ensuring that consumer financial information is stored safely and securely. However, the Bureau’s willingness to levy a financial penalty in the absence of consumer harm is a serious departure from FTC precedent.
In response to the action, clients who handle sensitive consumer information—and particularly, consumer financial information—are encouraged to re-evaluate their existing practices and consider the following actions to minimize enforcement risks:
Review communications to consumers to ensure the truth and accuracy of statements regarding data security. This includes websites and direct communications with consumers. Make sure that any and all representations regarding data security practices reflect your actual practices.
Review, update and ensure implementation of existing data security policies and procedures. Make sure that you have adopted and implemented reasonable and appropriate data security policies and procedures governing the collection, maintenance, and/or storage of consumers’ personal information. This includes, but is not limited, to preparation of a comprehensive written data security plan that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of your company, the nature and scope of your activities, and the sensitivity of the personal information collected about consumers.
Engage in periodic risk assessments and other measures to identify reasonable foreseeable security risks. Conduct data-security risk assessments of each area of relevant operation to identify internal and external risks to the security, confidentiality, and integrity of your network, systems, or apps, and to consumers’ sensitive consumer information you store, and to assess the sufficiency of any safeguards in place to control these risks.
Ensure proper data security training of relevant employees. Conduct regular, mandatory employee training on your company’s data security policies and procedures; the safe handling of consumers’ sensitive personal information; and secure software design, development and testing. Select service providers capable of maintain your company’s security practices.
Designate a qualified person to coordinate and be accountable for your data security program. For example, a Chief Privacy Offer or Chief Compliance Officer can help ensure proper implementation of, and updates to, existing data security policies and procedures.
Ensure encryption of sensitive consumer data in transit and at rest. This may require an audit of current technological practices. Additionally, ensure that you do not request or otherwise encourage consumers to submit sensitive information via email in clear text.
Test the security of new software and/or applications. Think twice before releasing to the public untested websites or mobile applications that store sensitive personal information. Develop and implement security patches to fix security vulnerabilities.