CFPB Issues First Cybersecurity Order Against Payment Platform for Deceptive Practices

The Consumer Financial Protection Bureau (“CFPB”) recently instituted a cybersecurity enforcement action against an online payment platform, Dwolla, Inc., in the form of a consent order. This consent order is significant because it is the first time the CFPB has sought to institute an enforcement action in the cybersecurity arena after it was given the authority to do so under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), highlighting the increasing emphasis being placed by financial regulators on cybersecurity practices. The Securities and Exchange Commission (“SEC”), Financial Industry Regulatory Authority (“FINRA”), and the Federal Trade Commission (“FTC”), among others, have all been quite active in policing data security practices of financial institutions in recent years. The SEC even listed cybersecurity control procedures of registered broker-dealers and investment advisers as one of its examination priorities for 2016.

The Dodd-Frank Act gives CFPB supervisory authority over providers of consumer financial products or services. It also authorizes CFPB to take enforcement action to prevent unfair, deceptive or abusive acts or practices from these providers. In this case, Dwolla allegedly made several exaggerated claims regarding the strength of its data security practices that the CFPB found to be deceptive within the meaning of the Dodd-Frank Act.

Specifically, Dwolla allegedly asserted that its cybersecurity practices were “safe” and “secure,” exceeded industry standards, and were even safer than credit cards. Dwolla also allegedly stated in marketing materials that its data security practices satisfied the PCI (Payment Card Industry) Security Standards and that all consumer information was securely encrypted and stored. However, the CFPB found that Dwolla’s data security practices for the collection and storage of consumer information did not exceed industry standards and were not safer than credit cards. In addition, the CFPB found that Dwolla’s data security practices for transactions, servers, and data centers were not PCI compliant, and that Dwolla did not encrypt all consumer information in its possession. Overall, the CFPB found that Dwolla had generally failed to employ reasonable and appropriate measures to protect against cybersecurity breaches.

The CFPB did not clearly define what “reasonable and appropriate measures” were required, although they did state that Dwolla failed to: 1) adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information; 2) conduct regular risk assessments to identify reasonably foreseeable risks to consumers’ personal information; 3) ensure that employees who had access to consumer information received adequate training and guidance about security risks; 4) use encryption technologies to properly safeguard personal consumer information such as names, mailing addresses, social security numbers, and bank account information; and 5) practice secure software development with software developers who have received data security training. By failing to adopt those measures, the CFPB concluded that Dwolla had acted deceptively under the Dodd-Frank Act.

Dwolla consented to the order without admitting or denying any of CFPB’s findings of fact. Pursuant to the consent order, it must cease making any misrepresentations about its data security practices and pay a civil penalty of $100,000. In addition, it agreed to take certain steps to adopt reasonable appropriate data security practices, including, among others: 1) establishing a written comprehensive data security plan reasonably designed to protect customer information; 2) designating a qualified individual to coordinate and be accountable for the data security program; 3) conducting biannual data security risk assessments to identify internal and external security risks; 4) conducting regular employee training on the data security practices; 5) developing security patches to fix any vulnerabilities in web or mobile applications; 6) developing an appropriate method of customer identity authentication at the registration phase; 7) developing a compliance plan to correct deficiencies and ensure adherence to the consent order; and 8) obtaining an annual independent data security audit.

The Director of CFPB, Richard Cordray, stated in prepared remarks to the Consumer Bankers Association that CFPB’s enforcement actions such as this one are “intended as guides to all participants in the marketplace to avoid similar violations and make an immediate effort to correct any such improper practices.”

Parker MacIntyre provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Visit our website for more information.