By Schulte Roth & Zabel attorneys Donald J. Mosher, Lisa A. Prager, Michael L. Yaeger, Melissa G.R. Goldstein and Kimberly G. Monty.
The Consumer Financial Protection Bureau (“CFPB”) broke new ground last week with its Consent Order against Dwolla Inc. (“Dwolla”), an online payment platform, for deceiving consumers about its information security practices.
The Consent Order alleges that Dwolla made public statements regarding the efficacy of its data security system and failed to fulfill those promises. The enforcement action is especially striking because the CFPB imposed a $100,000 civil monetary penalty on Dwolla despite the lack of any evidence that the payment processor experienced a data breach or any kind of cybersecurity incident, and also because the CFPB imposed significant — and expensive — new compliance obligations beyond what other federal regulators have demanded in similar situations. Most notably, the Consent Order provided that Dwolla must perform regular risk assessments and retain an independent third party to perform an annual cybersecurity audit for the next five years.
In effect, the Consent Order warns entities subject to CFPB regulation to give particular attention to any representations they make on a website or in direct communications with consumers regarding information security. Entities seeking to evaluate the accuracy of any such representations or to improve their own information security practices should take note of the CFPB’s allegations as well as the corrective action that the CFPB imposed on Dwolla.
The CFPB’s Allegations
The Consent Order alleges that Dwolla made materially deceptive statements to consumers when Dwolla represented, among other things, that it: (1) complied with the Data Security Standard promulgated by the Payment Card Industry (“PCI”) Security Standards Council; (2) “encrypted and stored securely” “100%” of consumers’ information and “all sensitive information that exists on its servers,” including both “data in transit and at rest”; and (3) “exceed[ed] industry standards” for information security.
According to the CFPB, Dwolla’s transactions, servers and data centers were not, in fact, PCI compliant; Dwolla did not “encrypt all sensitive consumer information in its possession”; and Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.” To the contrary,”[i]n numerous instances, [Dwolla] stored, transmitted, or caused to be transmitted … without encrypting … : “first and last names”; “mailing addresses”; “Dwolla 4-digit PINS”; “Social Security numbers”; “[b]ank account information”; and “digital images of driver’s licenses, Social Security cards and utility bills.”
The CFPB also criticized Dwolla for failing to take action or educate its employees after they performed poorly in a penetration test that simulated an email phishing attack — that is, an attack in which employees were sent deceptive emails designed to trick them into clicking on a suspicious link. In fact, the CFPB noted with disapproval that, although the penetration test was conducted in 2012, “Dwolla did not conduct its first mandatory employee data-security training until mid-2014.”
Interestingly, however, one thing the CFPB did not claim was that Dwolla’s failure to maintain adequate data security measures to protect consumer information was an “unfair” practice. Rather, the CFPB based its action entirely on Dwolla’s alleged failure to keep its promises regarding information security.
The Consent Order restrains and enjoins Dwolla from making misrepresentations, both expressly or by implication, regarding its data security practices, including its encryption practices or PCI compliance, and requires Dwolla to pay a $100,000 civil penalty. The Consent Order also imposes many other requirements on Dwolla, including that the company: