CFPB Announces Data Security Consent Order with Payment Processor

On March 2, 2016 the CFPB announced that it had entered into a consent order with payment processor Dwolla, Inc. In the CFPB’s first consent order relating to data security, the CFPB alleged that Dwolla’s data security practices violated the UDAAP provisions of the Consumer Financial Protection Act of 2010 (CFPA). Significantly, the CFPB did not allege that any consumer information was actually compromised.

Dwolla is an online payment platform that collects and stores personal information of consumers, including their name, address, date of birth, phone number, social security number, bank account number, routing number, username, password, and PIN. According to the CFPB, Dwolla represented to consumers that it employs reasonable and appropriate measures to protect data obtained from consumers from unauthorized access, that its network and transactions were “safe” and “secure,” and that its data security practices met or exceeded industry standards. It also made certain representations with respect to its encryption and data security measures.

The CFPB alleged that many of these statements were inaccurate. For example, according to the CFPB, Dwolla failed to adopt and implement data security policies and procedures reasonable and appropriate for the organization, and failed to conduct comprehensive risk assessments.

According to the consent order, Dwolla also failed to ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks. The CFPB alleges Dwolla did not use encryption technologies to properly safeguard sensitive consumer information; for example, according to the CFPB, Dwolla transmitted various types of personal information without encrypting it.

Finally, the consent order alleges that Dwolla failed to practice secure software development in connection with its alternative software development operation. Specifically, the CFPB alleges that the developer of its mobile software applications had no data security training and that these applications did not comply with the company’s security practices.

According to the CFPB, Dwolla’s representations regarding its data security practices were likely to mislead a reasonable consumer into believing the company had incorporated reasonable and appropriate data security practices when it had not, and such representations were material because they were likely to affect a consumer’s choice or conduct regarding whether to become a member of Dwolla’s network. Based on this, the CFPB alleges that Dwolla’s practices constitute deceptive acts and practices under the CFPA.

The consent order requires Dwolla to, among other things, take steps to improve the safety and security of its operations by fixing any security weaknesses, securely storing and transmitting consumer data, developing a comprehensive data security plan and related policies and procedures, adequately training employees, and conducting a data security risk assessment twice a year. It also requires the company to obtain an annual data security audit. The board of directors must review the audit results and develop a compliance plan, which must then be submitted to the CFPB for review. Finally, Dwolla must pay a civil money penalty of $100,000.

The CFPB’s announcement, which includes a link to the consent order, can be found here:
http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.