On March 2, the federal Consumer Financial Protection Bureau (CFPB) for the first time brought an enforcement action related to data security. The CFPB consent order imposes a $100,000 fine and five years of regulatory oversight for online payments provider Dwolla. The action sends a clear message that the CFPB intends to actively regulate the data security representations of consumer finance service providers.
The CFP Act, passed in 2010 as part of the Dodd-Frank Act, grants the CFPB authority to take action to prevent “a covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.” “Covered Persons” includes any company that offers or provides a “consumer financial product or service.” Relying on this authority, the CFPB action accused Dwolla of “deceptive acts or practices” in connection with data security.
The CFPB consent order cited a number of specific representations by Dwolla, including claims that:
- Dwolla transactions were “safer [than credit cards] and less of a liability for both consumers and merchants”
- Dwolla’s data-security practices “exceed industry standards,” or “surpass industry security standards”
- Dwolla “sets a new precedent for the industry for safety and security”
- Dwolla stores consumer information “in a bank-level hosting and security environment”
- Dwolla encrypts data “utilizing the same standards required by the federal government”
- “All information is securely encrypted and stored” and
- “100% of your info is encrypted and stored securely”
The CFPB conducted a sweeping investigation and ultimately faulted Dwolla for a number of information security failures alleged to conflict with these and other representations, including:
- the non-existence of a written information security policy
- failure to conduct “adequate, regular” security risk assessments
- little to no employee training related to data security
- failure to “address the results” of a security test performed by an auditor in 2012 which simulated a phishing attack against the company, and the related failure to “educate its personnel about the dangers of phishing”
- failure to encrypt “in numerous instances” consumer personal information (such as name, address, PINs, social security, and bank account information)
- lax software development and testing standards (“[t]he software developer leading Dwollalabs software development had no data-security training”)
- failure to “test the security of apps on Dwollalabs.com prior to releasing the apps to the public to ensure that consumers’ information was protected,” and
- failure to conduct “risk assessments or penetration tests on Dwollalabs.com”
The CFPB’s detailed investigation is notable in the agency’s attention to such technical security controls as software development methodology, website penetration testing, and employee training against specific data security threats such as phishing. This detail reveals more than a cursory investigation, which should be anticipated by consumer-financial companies facing CFPB investigations.
The consent order extends for a minimum of 5 years (or longer if the CFPB “initiates an action alleging any violation of the Consent Order”) and requires extensive remediation measures. Among other requirements, Dwolla must:
- establish a “written, comprehensive data-security plan”
- “designate a qualified person to coordinate and be accountable for the data-security program”
- “conduct data-security risk assessments twice annually”
- conduct employee training on the “safe handling of consumers’ sensitive personal information” and “secure software design, development and testing”
- “develop, implement, and update, as required, security patches to fix any security vulnerabilities identified in any web or mobile application”
- “develop, implement and maintain an appropriate method of customer identity authentication at the registration phase and before effecting a funds transfer”
- hire a qualified third-party to conduct an annual data-security audit and prepare a related report (to be reviewed by Dwolla’s Board of Directors and to be shared with the CFPB) “identifying any internal or external risks to the security, confidentiality, and integrity of the sensitive consumer information obtained by [Dwolla] from consumers and to verify that [Dwolla] has implemented reasonable and appropriate risk mitigation activities to sufficiently safeguard against any identified risk”
In addition, Dwolla must pay a $100,000 civil penalty.
This action signals the CFPB’s arrival as a federal financial regulator in a significant way. The consent order demonstrates the agency’s clear willingness to police the representations of providers of consumer financial products and services and to demand detailed information security controls.
 12 USC § 55319(a)
 12 USC § 5481(6)