CFPB issues first data security penalty

In the first case of its kind, the Consumer Financial Protection Bureau took action against an online payment platform, claiming that the company deceived consumers about the company’s data security practices and the safety of its online payment system.

The object of the agency’s claim is Dwolla, a Des Moines, Iowa, company founded in 2008 and which went live in 2009. It contracts with banks to verify accounts, transfer payments, keep balances, and route funds directly.

This article covers both the consent order itself and the views of an expert on the implications beyond the immediate case.

What CFPB alleged

“From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with ʻsafe’ and ʻsecure’ transactions,” CFPB says in announcing its consent order. 

“But rather than setting ʻa new precedent for the payments industry’ as asserted, Dwolla’s data security practices in fact fell far short of its claims,” the bureau adds.

Under the terms of the CFPB order, Dwolla is required to:

• Pay a $100,000 civil money penalty.

• Stop misrepresenting its data security practices.

• Train employees properly and fix security flaws.

Dwolla neither admitted nor denied any of the findings of fact or conclusions of law in CFPB’s order. In a statement issued the day of CFPB’s order, although not mentioning CFPB specifically, Dwolla posted a long explanation of its current security practices.

In a prelude to that list it says:

“Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.”

Subsequent to initial publication of this article on www.BankingExchange.com, Dwolla's Jordan Lampe, director of communications and policy affairs, provided the following statement:

“Dwolla is glad to have come to a resolution with the CFPB regarding its investigation. The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012. Dwolla understands the Bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards.
 
"The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices. This is consistent with the fact that since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. During this time, Dwolla had many other layers of data security practices and technologies in place that were not found to be deficient, which we believe helped to prevent harm to consumers.
 
"We’ve never been more proud of our information security policies, practices, and technologies, and have gone to great lengths to implement them up, down, and across the company. The data security assessments that are part of the settlement will validate that implementation process.”

No infiltration claimed by bureau

CFPB in its consent order does not allege that any security breach actually occurred or that any individual consumers were harmed.

Instead, in the consent order itself, the bureau focuses on the timing of when particular claims were made and when the company actually followed through. For example, in the bureau’s words:

• “From its launch until at least September 2012, respondent did not adopt or implement reasonable and appropriate data-security policies and procedures.”

• “From its launch until at least October 2013, respondent did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information.”

• “Until at least December 2012, respondent’s employees received little to no data security training on their responsibilities for handling and protecting the security of consumers’ personal information.”

Q&A: Implications for banks, fintech, regulators

In an interview with Banking Exchange, Kim Phan, counsel with the law firm of Ballard Spahr LLP, Philadelphia, talked candidly about this case and its implications for banks, financial technology providers and developers, and the regulatory environment. (Dwolla is not one of Ballard Spahr’s clients.)

The following has been edited for continuity.

Banking Exchange: This is a new thing in that for the first time CFPB has taken action about a data security issue. Can you put this into perspective?

Phan: The big message to banks and other players is that, for a long time, since the mid-1990s, the Federal Trade Commission has been the self-proclaimed, de facto, privacy and data security federal regulator.

In the last 20 to 30 years, FTC has established a groundwork for what are called unfair and deceptive acts and practices. That’s their “Section 5” authority. About five years ago Dodd-Frank passed and CFPB was empowered with basically the FTC’s UDAP authority, but enhanced with the addition of abusive acts or practices [UDAAP] ... Of course, FTC has a limitation in its [data security] jurisdiction in that they never had authority over banks. FTC could go after anybody else, but [not] banks, nonprofits, and some other specific carveouts.

Now, CFPB has shown that it is willing to take these data security enforcement actions under its own UDAAP authority, for banks. That’s the big picture.

Banking Exchange: In this specific case it seems that CFPB’s argument is that Dwolla made certain claims in marketing, writing, and agreements with customers that, CFPB claims, were not justified by what the company actually did. Is this a new wrinkle in the law?

Phan: The charge, the claim, and the outcome are not atypical. CFPB in its first enforcement action in this area has followed the FTC model very closely. Most cases will be based on some sort of claim of either unfairness or deception.

This case is focused on deception. The company made all these claims … but it wasn’t doing what it claimed. CFPB picked a pretty cut-and-dried case.

As far as its first foray into this area (data security), the penalty is only $100,000. [That’s] really, really low. CFPB usually swings for the fences [such as a case, for example, in which CFPB levied a $25 million penalty]. I think the bureau is being conservative here. It have not alleged that there has been any consumer harm. There’s no data breach, there’s no specific harm that has happened.

Banking Exchange: Dwolla issued a statement following the CFPB action, in which it did not address CFPB specifically, but did list what it does now to protect data. Dwolla said that the company protects data in transit, protects data at rest, uses tokenization, has a layered approach to security, and includes security in its corporate culture.

These are things that banks do already and what they would tell their customers. So, would banks open themselves up to this type of scrutiny from CFPB or any other regulatory agency?

Phan: Keep in mind, CFPB in its consent order, is very focused on timeline. CFPB states in the consent order that the company made a given representation in 2009, but it didn’t do that thing until 2012. The company said it did another thing, such as training, at one time, but didn’t have its first training until later. So CFPB really lays it out as far as when the representations happened and when they actually started doing it.

Banking Exchange: So it gets back to the whole idea of not only saying what you’re doing, but documenting that you’re doing it.

Phan: Doing what you say. What’s important for banks to take away from this is with regard to new rollouts.

Every bank is trying to roll out new apps to create new functionality on its website or mobile platform. It’s great that a banks has all this security in place and that has documented it. But if you’re not doing that for every single rollout with every single functionality before it becomes live, then you’re going to have a problem.

Banking Exchange: Fintech is a huge industry now. What does it learn from this case?

Phan: The important part to keep in mind with this Dwolla consent order it that part of it requires Dwolla, in the event it is developing new products or hiring service providers to develop new products, to do security due diligence, to have security language in its contracts, and to be auditing for security.

Banking Exchange: One reads in the literature more and more about how regulators are not only focusing on cyber threats but on the technology to deal with that.

Phan: I would point out that the president has a big cybersecurity initiative that was launched last year. Congress has shown a willingness to fund cybersecurity initiatives.

So if you are a regulator, say for example, the FTC, or the Comptroller’s Office, or FDIC, you want those dollars. I think we can expect to see a wave of regulatory one-upsmanship here, where they are all trying to show that they are the toughest cop on the beat—so they can get those dollars.