On February 16, 2016, the Consumer Financial Protection Bureau (CFPB) issued a Consent Order relating to certain “deceptive” acts and practices of Dwolla, Inc., an Iowa based payment processor (Dwolla). Dwolla operates a software platform that enables “real time” funds transfers through a digital network that connects banks and credit unions. According to the CFPB, Dwolla had more than 650,000 users and transferred as much as $5 million a day as of May, 2015. The CFPB alleged that Dwolla collected sensitive personal information, including the consumer’s name, address, date of birth, telephone number, and social security numbers but committed “deceptive” data security practices when it represented that its processes were “safe and secure.” The CFPB examined Dwolla’s processes to determine if these representations were accurate and ended up assessing civil money penalties against Dwolla for failing to implement reasonable data security standards to protect consumer’s personal information.
The CFPB’s enforcement action against Dwolla is noteworthy because the CFPB did not wait until there was actual consumer harm before they took enforcement action. The main takeaway here is that companies should be wary of making any representations regarding its data security practices if a company has not put into place, at minimum, a written data security program that adequately protects sensitive consumer information.
Basis for CFPB Jurisdiction over Data Security?
Although not stated in the Consent Order, we believe the CFPB asserted jurisdiction over Dwolla as a “service provider” to a financial institution regulated by the CFPB under the Consumer Financial Protection Act (CFPA). In 2015, Dwolla entered into an agreement with BBVA Compass, a bank with 2.9 billion in assets, to provide payment processing to BBVA Compass’s customers. Dwolla also holds itself out to other financial institutions as a partner in providing faster money transfers. By doing so, Dwolla provided a material service to a financial institution that provides financial services to consumers, and meets the definition of a “service provider” under the CFPA, which explicitly includes “any person [that] processes transactions relating to a consumer financial product or service.”
The CFPB has previously taken action against payment processors on similar grounds and has signaled that the CFPB has regulatory interest in the electronic payment system which has been rapidly changing in response to new technologies and innovations. Speaking before The Clearing House, which is one of the largest operators of the automated clearing house, in November 2014, CFPB Director Richard Cordray stated that the CFPB is concerned with the possibility of misuse/abuse and consumer harm resulting from unauthorized transactions, cyber threats and issues surrounding funds availability with the electronic payment system. In July 2015, the CFPB also published an outline of nine Consumer Protection Principles that the CFPB would like to have considered and incorporated into the emerging new payment systems in order to ensure that these systems are secure, transparent, accessible and affordable to consumers.
No Finding of Consumer Harm and No Data Breach
The CFPB did not allege that there was an actual data breach or consumer harm resulting from Dwolla’s actions. This may be the reason why the CFPB only fined Dwolla $100,000, which is a relatively modest fine. Instead, the CFPB identified “deceptive” acts and practices relating to false representations that Dwolla is alleged to have made regarding its data security practices. An act or practice is deceptive under the CFPA if (1) there is a misrepresentation or omission of information that is likely to mislead consumers acting reasonably under the circumstances, and (2) that information is material to consumers. In this instance, the CFPB found that Dwolla’s representations were “material to consumers” because the representations were likely to affect a consumer’s choice or conduct regarding whether to become a member of Dwolla’s network.
The CFPB reviewed Dwolla’s actions from January 2011 through March 2014 and alleged that Dwolla represented, expressly and by implication, to consumers that Dwolla employs reasonable and appropriate measures to protect data obtained from consumers from unauthorized access. Specifically, the CFPB focused on the following alleged “misrepresentations”:
- Dwolla’s website stated that its network and transactions were “safe” and “secure”
- Dwolla’s represented that its data security practices “exceed” or “surpass” industry standards”
- Dwolla stores consumer information “in a bank-level hosting and security environment”
- Dwolla “represented that it had set a new precedent for the industry for safety and security”
- Dwolla encrypts data “utilizing the same standards required by the federal government”
- Dwolla is PCI Compliant
The Importance of Putting in Place a Written Data Security Program
Without quantifiable consumer harm, the CFPB’s basis for alleging “deceptive” acts and practices was based on purported deficiencies in Dwolla’s data security protocols. The CFPB found that Dwolla had neglected to put into place a written data security program and is requiring Dwolla to implement such a program as part of the consent order’s remediation requirements. The CFPB also alleged that since the founding of the company and until December 2012, Dwolla did not train its employees on the handling and protection of consumers’ personal information and did not conduct its first mandatory training for employees until mid-2014. Dwolla also did not hire a third party auditor to conduct testing until December 2012 and even after the auditor found that its employees were vulnerable to email phishing attacks, Dwolla failed to address the auditor’s findings in its employee training program. Dwolla also stored sensitive consumer information on Dwollalabs.com and on its apps, without employing measures to test and protect the consumer information.
The Dwolla consent order makes clear that companies that wish to demonstrate compliance and avoid making “deceptive” misrepresentations regarding its data security program should implement the following best practices:
- Written Data Security Policies and Procedures. Companies need a written information security plan and should adopt and implement data security policies and procedures reasonable and appropriate for the organization’s size, risk profile and business;
- Designate a Qualified Data Security Coordinator. Companies should appoint a qualified person that is responsible for coordinating and maintaining an effective data security program.
- Risk Assessments. Companies should conduct periodic risk assessments to identify reasonably foreseeable data security risks to consumers’ personal information and determine if there are reasonable safeguards in place to protect the information.
- Employee Training. Companies that do not regularly train its employees who have access to or handle consumer information are exposing customer personal information to security risks.
- Security Practice Vendor Management. Companies should develop, implement and maintain reasonable procedures for the selection and retention of service providers capable of maintaining reasonable data security practices and appropriate safeguards.
- Encryption. Companies should use encryption technologies to properly safeguard sensitive consumer information; and
- Secure Software Development. Companies should run tests on any consumer facing software applications to ensure that software, apps, and other applications provide adequate protection to consumer’s data.
We have assisted various clients in responding to data breaches and cybersecurity incidents and know that companies already have strong reasons to put in place a written data security program to protect itself against cybersecurity threats. After Dwolla, companies making representations in the market about its data security now face the additional risk of regulatory enforcement actions due to deficiencies in their data security plans.