“No Breach Required: CFPB Conducts First Data Security Enforcement Action”
Safe and Sound 03/09/16 By James I. Kaplan and Moein M. Khawaja
In its first data security enforcement action, the CFPB ventured into the FTC’s usual enforcement territory and obtained a consent order against Dwolla Inc., an online payment company. The company has agreed to pay a $100,000 penalty, stop misrepresenting its data security practices, and take corrective action by training employees and improving data security and customer authentication. The CFPB also required Dwolla, among other things, to hire an independent expert to audit data security annually for five years, develop a written information security program, and asses security risks biannually. The full consent order can be viewed here.
The CFPB typically focuses on tangible consumer harm. Despite this focus, there was no evidence that consumers were tangibly harmed by Dwolla, no consumers complained to Dwolla or to the CFPB, nor was there a data breach. CFPB was able to engage in this preemptive enforcement by relying on its authority to police deceptive acts and practices under Dodd-Frank’s prohibition against “unfair, deceptive, and abusive practices,” which requires only that conduct misleads or is likely to mislead the consumer.
In this case, Dwolla stated on its website and other communications that its data security practices exceed industry standards and that information is fully encrypted in storage and in transmission. The CFPB found these claims to be material to consumers because the claims were likely to affect consumers’ choices of whether to use Dwolla’s services. The CFPB found the company fell short of these representations because it failed to implement data security procedures appropriate for the company and its services, conduct risk assessments, train employees, and use encryption technology to properly safeguard sensitive consumer information.
Thus, any company that claims its data security exceeds industry standards, without backing such claims with robust security practices, may garner the attention of the CFPB and other authorities. Consequently, companies need to be aware of data security during regulatory examinations or other actions. They should ensure that their privacy policies meet minimum requirements but also don’t overstate any security capabilities. This isn’t limited to just privacy policies or fine print—other representations made to the public can also be deemed deceptive, including those from customer service representatives. Moreover, actual data security practices should at minimum match, and ideally exceed, representations in privacy policies and elsewhere.
Moving forward, cyber security will continue to be a cornerstone for many regulatory agencies, not just the CFPB. The CFPB will likely incorporate data security and privacy into its guidance manuals as well. Companies are encouraged to monitor enforcement actions as this regulatory area continues to develop.