CFPB’s First Data Security Action; Fines Online Platform Dwolla for Alleged Weak Security Practices
On March 2, the CFPB settled its first data security enforcement action against Iowa-based Dwolla Inc. Launched as a startup in 2009, Dwolla is an online payment platform that enables customers to transfer money directly to/from their bank accounts. Since its inception, Dwolla had been collecting customers’ sensitive personal information, including their name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN. By May 2015, Dwolla allegedly had amassed 650,000 users and was transferring on their behalf an estimated $5 million a day.
The CFPB alleged Dwolla had built its brand on the promise of robust data security practices, such as the following statements made on the company’s website or directly to consumers:
"Dwolla empowers anyone with an internet connection to safely send money to friends or businesses."
"Dwolla sets a new precedent for the industry for safety and security."
Dwolla stores consumer information “in a bank-level hosting and security environment."
Dwolla encrypts data “utilizing the same standards required by the federal government.”
“All information is securely encrypted and stored.”Contrary to these representations, the CFPB alleged that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from unauthorized access, failed to maintain PCI DSS compliance, failed to encrypt “some” sensitive personal information, and released applications to the public before testing whether they were secure. The consent order requires that Dwolla stop misrepresenting its data security practices, enact comprehensive data security measures and policies, train employees, and fix security vulnerabilities. In addition, Dwolla must pay a $100,000 penalty to the CFPB.
This enforcement action serves as a cautionary tale: companies claiming robust data security practices will be held accountable if those representations are not truthful and supported, and may face scrutiny from any number of government enforcers, including the States, the FTC, FCC, and now the CFPB. Proactively vetting the accuracy of all such claims and verifying reasonable and appropriate privacy and security measures can help prevent a company from becoming the next enforcement (and hacker's) target.