The Green Sheet Online Edition
March 28, 2016 • Issue 16:03:02
CFPB fines Dwolla over data security lapses
The Consumer Financial Protection Bureau slapped a $100,000 penalty on the payment network Dwolla Inc. for deceiving consumers about its data security practices. The fine is part of a consent agreement between the CFPB and Dwolla announced on March 2, and marks the federal consumer watchdog's first enforcement action related to data security.
"Consumers entrust digital payment companies with significant amounts of sensitive personal information," CFPB Director Richard Cordray said in a statement about the enforcement action. "It is critical that companies put systems in place to protect this information and accurately inform consumers about their data security practices." Dwolla failed on both counts, the CFPB asserted.
In a blog post on that same day, Dwolla apologized to the public, explaining, "[W]e may not have chosen the best language and comparisons to describe some of our capabilities." The post noted that since its launch over five years ago, "Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event."
Dwolla was launched in 2010 as an e-commerce alternative for credit and debit card acceptance. Since then, the Des Moines, Iowa-based company has expanded to also support low-cost, real-time mobile payments for consumers and businesses. All transactions are cleared through the automated clearing house system and priced at a flat per-transaction fee of 25 cents regardless of value.
As of May 2015, Dwolla had logged more than 650,000 users and was transferring as much as $5 million a day on behalf of customers, according to the CFPB's complaint. For each account Dwolla signs, it collects personal information, including name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password and a unique four-digit PIN.
Failing to deliver on claims
According to the CFPB's complaint, Dwolla made false claims between 2010 and 2014 that customer information was safe, secure, and in compliance with Payment Card Industry (PCI) data security standards. In addition, the CFPB found Dwolla also claimed, falsely, that sensitive personal information it collected was encrypted, and that its mobile apps were safe and secure. "Dwolla's data security practices in fact fell short of its claims," the CFPB stated. The CFPB said Dwolla failed to use reasonable and appropriate measures to protect customer data from unauthorized access and that despite claims by Dwolla that "information is securely encrypted and stored," some personal consumer information did not get encrypted. What's more, some Dwolla applications were released to the public without rigorous security testing, according to the CFPB.
In addition to paying a $100,000 fine, Dwolla agreed to stop deceiving consumers about the security of the network and enact comprehensive data security measures and procedures. The company also has to fix security flaws in its web and mobile apps and work to ensure ongoing security of consumer data in transit and at rest.
Upping the ante
The CFPB was created under the 2010 Dodd-Frank financial reform legislation as a semi-autonomous agency with enforcement authority for federal consumer protection laws, such as those involving lending and electronic payments. (Many of these laws previously were enforced by the Federal Reserve and other regulators.) Dodd-Frank also put the CFPB in charge of policing for unfair, deceptive or abusive acts and practices – consumer protections historically enforced by the Federal Trade Commission.
However, according to legal experts, Dodd-Frank did not grant the CFPB enforcement authority for cybersecurity laws; that was left to the FTC and bank regulators. That's why the action against Dwolla focuses on deceptive claims about the security of the network and consumers' personal financial information. The law firm Ballard Spahr LLP wrote in a March 3, 2016, legal alert that the CFPB's action against Dwolla "significantly ups the ante" for large banks and nonbank financial services company's under the bureau's jurisdiction. "Financial institutions should prepare for increased CFPB activity in the areas of data security and privacy," the firm stated.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.