On March 2, 2016, a consent order between the Consumer Financial Protection Bureau (CFPB) and Dwolla, Inc., an online payment platform, packed an added punch: a $100,000 fine of Dwolla. Why such a penalty? The CFPB wanted to resolve what it considered to be Dwolla’s deception in representations to consumers concerning the company’s data privacy policies and Dwolla’s alleged mishandling of customers’ personally identifiable information. There’s more: Dwolla agreed to take numerous measures to fix its data privacy policies and procedures.
This recent development rings an uncommon bell as the CFPB’s actions come before any actual or suspected data breach occurred. Stated another way: this order and fine come not from consumer outcry but instead from government policing. Companies subject to the CFPB’s jurisdiction should take note.
Since its creation in 2011, the CFPB has prevented financial services companies from engaging in unfair, deceptive or abusive acts or practices affecting consumers. As of late, the CFPB has been focusing its efforts on companies’ protection of consumer’s electronically-stored sensitive personal information. (For more information about the FTC’s efforts in this area, you can read our article here.)
Dwolla is an e-commerce financial company. It hosts an online payment network and offers its users the ability to send or receive money. When opening an account with Dwolla, a user provides his or her name, address, date of birth, telephone number and Social Security number. If a user wants to link a bank account to Dwolla, he or she also provides a bank account number and routing number.
In the course of its dealings Dwolla made numerous statements on its website, such as a claim that user information is stored “in a bank-level hosting and security environment” and that Dwolla employs encryption and data security measures “100% of the time.”
It turns out these representations were off the mark. The CFPB’s investigation found that Dwolla allowed users’ sensitive personal information to be transmitted unencrypted via email and that storage of information in data centers was not consistent with industry standards. The CFPB found that Dwolla’s practices violated the Consumer Financial Protection Act of 2010.
The CFPB also looked at Dwolla’s data security policies and procedures together with its employee training programs as to users’ sensitive personal information. The CFPB concluded that the company did not, in fact, have the requisite data security policies and procedures in place; it noted that a mandatory employee training program did not exist until mid-2014. The CFPB also found that Dwolla did not take appropriate remedial steps after an outside auditor found serious vulnerabilities in Dwolla’s security practices.
In the end, the CFPB and Dwolla not only agreed to the consent order with a hefty fine, but also reached an accord on necessary improvements in data protection practices. Whether the CFPB’s policing of promises on data security is the wave of the future for businesses remains to be seen. However, take stock of the following to try and avoid the gaze of government regulators and litigation:
- Ensure that the representations you make to consumers concerning your data privacy practices are correct and regularly reviewed;
- Have detailed policies and procedures in place concerning the collection, storage, and transfer of all of your customers’ sensitive personal information;
- Have a “data privacy team,” which includes an accountable manager, to ensure that your policies and procedures are being implemented;
- Implement regular employee training on the handling of your customers’ private information;
- Conduct regular audits to ensure your policies are being followed, locate vulnerabilities, and make adjustments to your policies accordingly; and
- Employ knowledgeable and qualified software professionals.
By John Ochoa of SmithAmundsen