The CFPB Issues First Data Security Enforcement Action
The CFPB Issues First Data Security Enforcement Action

The Consumer Financial Protection Bureau (CFPB) entered into a Consent Order with online payment systems operator Dwolla based on allegations of insecure data security practices related to its online payment system. The CFPB has fined Dwolla $100,000 for misrepresenting its security practices, the first fine issued by the CFPB. 

According to the consent order, the CFPB claims Dwolla did not  take “reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” representing to customers that their network and transactions were both “safe” and “secure” with detailed claims to that effect. According to the CFPB, Dwolla did not live up to its claims, failing to encrypt all sensitive data and failing to meet PCI compliance in transactions, servers and data centres. The CFPB details many claims of Dwolla’s failures, which include a lack of technical safeguards as well as insufficient security polices, training and risk assessments.

Dwolla wrote a blog post noting that, since its launch 5 years ago, there have never been any indicators or evidence of a data breach, giving apology for any confusion over data security that may have come from a snapshot of their security posture in the past, which perhaps was not described with the best “language and comparisons.”

It’s clear that the CFPB allegations are quite serious, even if they may not represent an accurate picture of Dwolla’s current security posture. Dwolla believes its current security polices, practices and technologies meet industry standards and are “glad to have come to a resolution with the CFPB” regarding its investigation of their past security posture.

The CFPB is authorized to take action against organizations engaged in “unfair, deceptive or abusive acts or practices” under the Consumer Protection Act, which is similar to the FTC’s enforcement of “unfair or deceptive acts or practices” in commerce under the FTC Act and other laws protecting consumer privacy.

Although the fine is not huge, the consent order indicates a growing level of enforcement actions coming from many angles, whether enforcing a legal requirement, a State enforcement or a class action suit. The CFPB fine is distinct in that no consumer harm came from a lack of security preparedness, but rather that the suit alleges a deception in the exact state of preparedness.

There’s never been a better time to make sure your data security plan not only meets, but exceeds, the demands of all the various regulators and standards set forth today. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.

ABOUT THE AUTHOR

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.