On March 2, 2016, the Consumer Finance Protection Bureau (“CFPB”) fined Dwolla, Inc. $100,000 for falsely representing to customers the quality of its data security practices. This is the CFPB’s first action on data security.
Dwolla represented to its customers, among other things, that its network and transactions were “safe” and “secure,” yet the CFPB found that it had failed to employ reasonable and appropriate measures to protect consumer data from unauthorized access.
Dwolla, Inc., which is based in Des Moines, Iowa and launched its services in 2009, runs an online payment network that allows its members to transfer funds to other consumers or merchants. To create an account, consumers must submit their name, address, birth date, telephone number, and Social Security number. To link their bank account, consumers must submit a bank account number and routing number. To transfer funds, consumers must then enter a username, password, and a unique 4-digit pin. Dwolla failed to encrypt this information and failed to use appropriate measures to identify reasonably foreseeable security risks, according to the CFPB.
“It has never been the company’s intent to mislead anyone on critical issues like data security,” Dwolla stated. “For any confusion we may have caused, we sincerely apologize.”
The no-fault consent order relates to Dwolla’s practices from late 2010 to 2014. Dwolla agreed to the order “without admitting or denying any of the findings of fact or conclusions of law” contained in CFPB’s allegations.
The order can be found here:
The CFPB consent order marks yet another layer of complexity for oversight of cyber security issues, adding to the efforts by the FTC to regulate the protection of consumer data under the FTC Act, and the 47 state data breach notification schemes.