CFPB Issues Its First Cyber Fine

On March 2, 2016, the Consumer Finance Protection Bureau (“CFPB”) fined Dwolla, Inc. $100,000 for falsely representing to customers the quality of its data security practices.  This is the CFPB’s first action on data security. 

Dwolla represented to its customers, among other things, that its network and transactions were “safe” and “secure,” yet the CFPB found that it had failed to employ reasonable and appropriate measures to protect consumer data from unauthorized access.

Dwolla, Inc., which is based in Des Moines, Iowa and launched its services in 2009, runs an online payment network that allows its members to transfer funds to other consumers or merchants. To create an account, consumers must submit their name, address, birth date, telephone number, and Social Security number.  To link their bank account, consumers must submit a bank account number and routing number.  To transfer funds, consumers must then enter a username, password, and a unique 4-digit pin.  Dwolla failed to encrypt this information and failed to use appropriate measures to identify reasonably foreseeable security risks, according to the CFPB.

“It has never been the company’s intent to mislead anyone on critical issues like data security,” Dwolla stated.  “For any confusion we may have caused, we sincerely apologize.”

The no-fault consent order relates to Dwolla’s practices from late 2010 to 2014.  Dwolla agreed to the order “without admitting or denying any of the findings of fact or conclusions of law” contained in CFPB’s allegations.

The order can be found here:

The CFPB consent order marks yet another layer of complexity for oversight of cyber security issues, adding to the efforts by the FTC to regulate the protection of consumer data under the FTC Act, and the 47 state data breach notification schemes.

New Year - New Data Breach Notification Rules
Billions Spent on Data Security


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.