On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) filed the first consent order (Order) addressing data privacy since the CFPB’s inception in 2010. The Order serves as a warning to all companies that collect, store and use sensitive customer information that misrepresentation of security practices, as well as noncompliant data protection procedures, will not be tolerated. Furthermore, in addition to exposing themselves to costly data breaches, loss of customer confidence and potential enforcement action by the Federal Trade Commission (FTC), companies can now add one more risk to having weak data security practices: a hefty fine from the CFPB.
The Order alleges Dwolla, Inc. (Dwolla) misrepresented its data security practices to consumers. Dwolla, an Iowa-based company that provides payment transferring services, requires consumers to submit several pieces of sensitive, personal information, including name, address, birth date, phone number, social security number, and bank account information, as a prerequisite to using its site. Dwolla is a key player in the payment app market; it is estimated that as of May 2015, Dwolla’s membership was 650,000 with daily payment transfers up to $5,000,000 per day.
According to the Order, Dwolla made multiple misrepresentations regarding its data privacy practices and the security of its members’ personal information. Specifically, the Order alleges that Dwolla represented to consumers, both in direct communications and on its website, that it employed reasonable and appropriate measures to protect the personal data it collected, used and stored. Dwolla also represented that its data security practices exceeded or surpassed industry security standards and that it was compliant with the standards set forth by the Payment Card Industry Data Security Standard (PCI/DSS). Dwolla also made various representations regarding the encryption of its customers’ data.
In reality, however, Dwolla was not PCI/DSS compliant and its practices did not surpass or exceed industry standards. According to the Order, Dwolla failed to do the following:
- adopt or implement reasonable and appropriate data security policies and procedures;
- use appropriate measures to reasonably foresee security risks;
- ensure that its employees receive adequate training or guidance about security risks;
- use encryption technologies to safeguard customer information; and
- practice secure software development.
Indeed, the Order alleged that Dwolla stored and transmitted unencrypted personal information, including social security numbers, on numerous occasions and did not require its employees to undergo mandatory data security training until nearly four years after it began offering its services nationwide.
Notably absent from the Order, however, are any allegations regarding a data breach or customer complaints.
The Order ultimately imposed a civil penalty of $100,000, and requires Dwolla to take several affirmative steps to improve its data security, including:
- adopt and implement reasonable and appropriate data security measures to protect consumers’ personal information;
- establish a written comprehensive data security plan and policies and procedures;
- designate a qualified person to coordinate and be accountable for such data security program;
- conduct data security risk assessments twice annually and adjust its program according to the results;
- conduct mandatory data security training for employees;
- develop security patches to fix any vulnerabilities in its applications; and
- develop, implement, and maintain reasonable procedures for the selection and retention of service providers and an appropriate method of customer identity authentication.
The Order will remain in effect for five years and also lays out a comprehensive plan to ensure Dwolla’s compliance.
The Order reflects a significant shift in the data privacy regulatory scheme, as the FTC has typically been the primary agency to police data security issues. Moreover, past FTC enforcement efforts have focused on data breaches, rather than targeting companies for misrepresentation of data security practices.
The CFPB is likely to stay active in the data privacy arena. Indeed, CFPB Director Richard Cordray recently suggested that the Order may be the first of many, stating: “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.” Accordingly, companies need to be increasingly aware of the strength of their data security measures, and ensure that they are truthfully representing such measures to consumers.