United States: The CFPB Issues First Data Security Consent Order

The Consumer Financial Protection Bureau (CFPB) supervises banks, credit unions, and other financial companies, and enforces federal consumer financial laws.  Since its creation in 2010 under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB has not engaged in enforcement actions related to data security issues.  Until now...

On March 2, 2016, the CFPB issued its first Consent Order against online payment platform Dwolla, Inc. (Dwolla) for its alleged unfair and deceptive acts and practices regarding Dwolla's data security policies and procedures.  In the order, the CFPB alleged that Dwolla failed to maintain adequate data security practice despite contrary representations made to consumers.  The CFPB particularly noted that Dwolla failed to:

• adopt and implement reasonable and appropriate data-security policies and procedures;
• conduct risk assessments;
• provide employee data-security training; and
• use encryption to properly safeguard sensitive consumer information.

The CFPB also charged that Dwolla falsely represented to consumers that its transactions were compliant with the standards set forth by the PCI Security Standards Council.  Notably, the CFPB's scrutiny of Payment Card Industry (PCI) Data Security Standards (DSS) compliance comes at a time when the PCI-DSS is also being scrutinized by the Federal Trade Commission (FTC).

In the Consent Order, Dwolla agreed to adopt and implement reasonable and appropriate data-security policies and procedures, including but not limited to establishing a comprehensive data-security plan, designating a qualified person to coordinate and be accountable for the company's data-security program, and conducting risk assessments, audits, and mandatory employee training. Further, Dwolla agreed to pay a civil penalty in the amount of $100,000.

The CFPB's Consent Order is significant for companies that provide financial products or services to consumers for three reasons.

• First, the CFPB has joined other governmental agencies, including the FTC, the Federal Communications Commission (FCC) and Securities and Exchange Commission (SEC), in pursuing data security enforcement actions.
• Second, the CFPB's order makes clear that companies that provide financial products or services must have a functional data security plan that is accurately communicated to consumers.
• Third, and perhaps most importantly, the CFPB pursued its enforcement action in the absence of a reported data breach or evidence of consumer harm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.