The Consumer Financial Protection Bureau (CFPB) entered into a Consent Order with online payment systems operator Dwolla based on allegations of insecure data security practices related to its online payment system. The CFPB has fined Dwolla $100,000 for misrepresenting its security practices, the first fine issued by the CFPB.
According to the consent order, the CFPB claims Dwolla did not take “reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” representing to customers that their network and transactions were both “safe” and “secure” with detailed claims to that effect. According to the CFPB, Dwolla did not live up to its claims, failing to encrypt all sensitive data and failing to meet PCI compliance in transactions, servers and data centres. The CFPB details many claims of Dwolla’s failures, which include a lack of technical safeguards as well as insufficient security polices, training and risk assessments.
Dwolla wrote a blog post noting that, since its launch 5 years ago, there have never been any indicators or evidence of a data breach, giving apology for any confusion over data security that may have come from a snapshot of their security posture in the past, which perhaps was not described with the best “language and comparisons."
It’s clear that the CFPB allegations are quite serious, even if they may not represent an accurate picture of Dwolla’s current security posture. Dwolla believes its current security polices, practices and technologies meet industry standards and are “glad to have come to a resolution with the CFPB” regarding its investigation of their past security posture.
The CFPB is authorized to take action against organizations engaged in “unfair, deceptive or abusive acts or practices” under the Consumer Protection Act, which is similar to the FTC’s enforcement of “unfair or deceptive acts or practices” in commerce under the FTC Act and other laws protecting consumer privacy.
Although the fine is not huge, the consent order indicates a growing level of enforcement actions coming from many angles, whether enforcing a legal requirement, a State enforcement or a class action suit. The CFPB fine is distinct in that no consumer harm came from a lack of security preparedness, but rather that the suit alleges a deception in the exact state of preparedness.
There’s never been a better time to make sure your data security plan not only meets, but exceeds, the demands of all the various regulators and standards set forth today. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.