Data Protection Report - Norton Rose Fulbright

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) released a Consent Order entered between it and Dwolla, a company providing an online money transfer and payment processing platform to consumers.  The Consent Order alleges that Dwolla made false representations concerning its data security practices and engaged in deceptive acts and practices in connection with the offering of consumer financial products or services, in violation of the Consumer Financial Protection Act of 2010 (“CFPA”) sections 12 U.S.C. 5531(a) and 5536(a)(1).

This is the CFPB’s first foray into the data security and privacy enforcement space and could foreshadow additional similar enforcement activity.  Interestingly, it appears that this investigation and Consent Order was not triggered by a security breach suffered by Dwolla.  Although the CFPB’s approach and enforcement rationale is reminiscent of similar actions taken by the FTC, the Consent Order is the first of its kind and has its own quirks.  In this post we take a deeper look at the CFPB’s action and the Dwolla Consent Order.

Factual Background of the Dwolla Consent Order

According to the Consent Order, Dwolla is a payment platform that allows its customers to make payments via web browser or mobile application.  As of May 2015, the company had approximately 653,000 customers and was transferring up to $5 million a day.

To set up and use an account, a consumer must provide Dwolla with a variety of information, including:  name, address, date of birth, telephone number, Social Security number, bank account number and routing number, username, password and 4-digit PIN.

The Consent Order indicates that Dwolla represented on its website repeatedly that its network and payment transactions were “safe” and “secure,” and that the company’s security practices “exceed” or “surpass industry security standards” and comply with the Payment Card Industry Data Security Standard (“PCI”).  Dwolla also made specific representations, such as: “All information is securely encrypted and stored.” According to the CFPB, these statements were false and were likely to mislead a reasonable consumer into believing that it had implemented reasonable and appropriate security practices. Further, these statements were material because they were likely to affect a consumer’s choices as to whether to become a Dwolla customer.

In addition, the CFPB determined that Dwolla failed to:

  • adopt and implement data-security policies and procedures reasonable and appropriate for the organization;
  • use appropriate measures to identify reasonably foreseeable security risks;
  • ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • use encryption technologies to properly safeguard sensitive consumer information; and
  • practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website, Dwollalabs.

Particularly, Dwolla (which launched in December 2009) did not have a written security program until October 2013.  Its first comprehensive security risk assessment and employee security training occurred in mid-2014.  Moreover, the CFPB determined that Dwolla transmitted personal information, including SSNs, financial account numbers and driver’s license numbers  in clear text. Although Dwolla began implementing secure software development practices in 2012, its Dwollalabs division did not comply with Dwolla’s security practices, and the software developer leading the division had no data security training.

Enforcement Action

Although Dwolla did not admit or deny the CFPB’s determinations, it agreed to entry of the Consent Order, which includes provisions that require Dwolla:

  • Not to misrepresent its data security practices, including data storage or encryption practices, PCI compliance, or adherence to data-security standards or best practices.
  • To adopt and implement reasonable and appropriate data-security measures to protect consumers’ personal information, including implementing and maintaining a comprehensive written data security program, designating a security coordinator, conducting bi-annual risk assessments, providing employee training, patching security vulnerabilities, contractually obligating vendors to comply with the Order and maintain appropriate safeguards, and obtaining an annual data security audit performed by an independent auditor.
  • To begin a remediation process by engaging an independent auditor. Dwolla’s board of directors must then develop a compliance plan, subject to the CFPB’s review and revision, to correct any deficiencies identified in the auditor’s report.  This remediation process must be repeated annually.
  • To have its board of directors review all submissions to the CFPB and assume “the ultimate responsibility for proper and sound management of [Dwolla] and for ensuring that it complies with Federal consumer financial law and this Consent Order.”
  • To maintain documents pertaining to its compliance with the Consent Order for five years.
  • To pay a $100,000 civil penalty to the CFPB.

Our Take

The Dwolla enforcement action and Consent Decree raise several interesting issues:

  • Pre-Breach Enforcement Trend. Given that Dwolla does not appear to have suffered a security breach, the CFPB’s enforcement action against Dwolla may presage a broader trend among federal agencies to change the focus of enforcement from post-breach to pre-breach action. The FTC’s HTC enforcement and the recent ASUS enforcement both focus on the quality of those companies’ cybersecurity programs, and are not predicated on the occurrence of a breach.  In addition to the FTC and CFPB, the Securities & Exchange Commission and FFIEC are actively examining their respective regulated entities’ cybersecurity programs, with the SEC expected to bring enforcement actions against broker/dealers in the near future.  A pre-breach enforcement trend may cause a shift away from some businesses’ view that low probability/large-scale breaches are a pre-condition for an enforcement action.  We expect the Dwolla enforcement action to serve as another push for businesses to invest proactively into building robust cybersecurity programs and engage in Security and Privacy by Design with respect to their products and services.
  • Becoming an Enforcement Target. Because there appears to have been no breach, it is not clear how the CFPB chose Dwolla as a target for an enforcement action.  Possibilities may include a consumer complaint, an insider tip, a CFPB review of Dwolla’s privacy statements and website, or even a report by an external “ethical hacker.” (We have had clients who faced threats by hackers to report security vulnerabilities to regulators if a “consulting fee” was not paid.) If the CFPB continues with similar enforcement actions, it may be possible to discern commonalities in enforcement targets. However, for the time being, any company subject to CFPB jurisdiction may be a potential target. These companies, therefore, may wish to shore up their security and privacy measures.
  • Board Involvement. Interestingly, the CFPB (unlike the FTC) heavily stressed board responsibility and involvement.  Again, this could be the start of another trend by regulators to encourage a top-down culture of compliance with the tone set by the board (not to mention the resources and oversight provided by the board).  With various lawsuits filed against boards of directors, and congressional activity around board involvement and responsibility for cybersecurity, it is likely that the message is sinking in.

Overall, what Dwolla and other actions indicate is that companies should consider proactively addressing data security and privacy, and legal compliance and liability risks, at all levels of their business.