Yesterday, in its first data security action, the CFPB ordered Dwolla, a payment processor, to pay a $100,000 civil money penalty and to correct its security practices after the company deceived consumers about the integrity of its online payment system and data security. In 2015 alone, Dwolla serviced some 650,000 users, transferring as much as $5 million a day. In its marketing materials, Dwolla claimed its security practices exceeded industry standards, and would protect customers from unauthorized access to their encrypted personal information. The CFPB, however, found that the claim to “exceed” or “surpass” industry security standards was false, and that Dwolla failed to use “reasonable and appropriate measures” to protect customer information. Further, Dwolla did not encrypt some of the personal information it had, and released applications for public use before determining they were secure.
In addition to the civil penalty, Dwolla was required to obtain an annual data security audit, establish and implement a comprehensive data security plan, and take other remedial steps to improve the safety and security of its operations and the consumer information available to it. The Consent Order can be found here.
We will watch for further (and likely) actions by the CFPB concerning data security.