In March 2016, the Consumer Financial Protection Bureau (CFPB) penalized Dwolla, a digital payment company, $100,000 and ordered the company to fix its security practices. The CFPB found that Dwolla had deceived its customers about its data and security practices and failed to protect its customers’ information.
Dwolla, a Des Moines, IA-based company, provides an online payment system to more than 650,000 customers. Beginning in 2010 and extending through 2014, the company claimed to protect its customers’ data with security practices exceeding industry standards. However, upon review of those practices, the CFPB found Dwolla had falsely represented its security practices by failing to use appropriate measures to protect sensitive data. The CFPB also found that Dwolla failed to encrypt sensitive data, despite claiming to have done so.
The CFPB’s enforcement action is notable for two reasons. First, it was done in the absence of any data breach, suggesting the CFPB is taking a proactive, as opposed to reactive, approach to consumer protection. Furthermore, this action comes shortly after the CFPB released a new policy designed to, as explained by CFPB Director Richard Cordray, “foster a consumer financial marketplace where companies develop safe, innovated products and approaches that can help make people’s lives better. Second, the CFPB’s action expands its authority to cybersecurity regulation. The Dodd-Frank Act gives the CFPB authority over “unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws.” Until now, it was unclear whether that authority extended to data security, which was thought to be left to the Federal Trade Commission and other regulators.
While the CFPB’s focus is currently limited to consumer financial products, it may signal the start of a new era of cybersecurity regulation as data breaches become more common and consumer data protection becomes an ever-evolving necessity for businesses in all sectors.