Dwolla, Inc.: No data security breach, expanded CFPB reach

(Before It's News)

Late last week, the Consumer Financial Protection Bureau (“CFPB”) issued an enforcement action against the Iowa-based payments processor, Dwolla, Inc. In the Order, available here, the CFPB alleged that Dwolla misrepresented its data security and the safety of its online payment system to its customers. The CFPB assessed a penalty of $100,000 and ordered Dwolla to fix its data security practices. More information from the CFPB and from Dwolla is available here and here.

There are three reasons this Order from the CFPB is significant:

1. A data breach did not occur, but rather the CFPB asserted that Dwolla overstated its actions to protect consumer information. This signals a shift by the CFPB from defensive to offensive. Also significant is the size of the company targeted. The CFPB’s focus on a middle-sized, start-up company following a consumer complaint suggests that no business is immune from CFPB scrutiny and routine exams by regulators are not the only means for uncovering potential violations.
2. This is the first data security-related fine by the CFPB. The Order highlights alleged violations that were not “reasonable and appropriate” data security measures. No written CFPB guidance, regulations, or even prior enforcement actions are cited. Instead it refers to “industry standards” and to the PCI Security Standards Council. The fact that these security standards are fluid implies that the burden to stay abreast of changing industry practices falls squarely on businesses going forward.
3. The Order provides some direction to other business organizations. The following issues were highlighted by the CFPB as mandatory security measures Dwolla must take to protect consumers’ personal information:

• A Written Data Security Policy and Procedures
• Regular Risk Assessments
• Employee Training on Data security
• Encryption of Data
• Vendor Training and Testing Software for Vendor Security

In the future, an organization’s failure to maintain these baseline practices could be viewed by the CFPB as a data security violation.

This blog previously covered the liability that organizations can face for failing to adhere to privacy policies. The CFPB’s assertive action in the Dwolla case should be another warning to organizations about understanding the commitments organizations make in their privacy policy.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

• FBI Formally Confirms Investigation of Hillary Clinton’s email Server
• The Top Three Reasons to Hire a Personal Injury Attorney
• UNIVERSITY AT ALBANY SEEKS POUND OF FLESH AND DISREGARDS THE RIGHTS OF THREE AFRICAN-AMERICAN FEMALE STUDENTS
• Ben Fulford Update, Oregon Standoff, Pete Santilli,
• More Self-Revelatory Crappola from NLA and John Daresh – Judge Anna von Reitz
• Saving the Republic: Judge Anna von Reitz Confronts John Daresh of National Liberty Alliance, Regarding the Complete Ineffectiveness of His Organization
• Judge Anna Von Reitz, Her Experience of The National Liberty Alliance (NLA)
• You think men like these are afraid of uneducated 125lbs punks who hold their guns sideways?’
• Apple iPhone Backdoor Invasion Approved
• When Law Enforcers obey the Unlawful … R.E. Sutherland, M.Ed.