The Consumer Financial Protection Bureau (CFPB) has fired a shot across the bow of the cybersecurity world and the ever-expanding online payment industry, taking a cybersecurity enforcement action that marked the agency’s first foray into regulating data security.
Dwolla Inc., a Des Moines-based digital payment startup, agreed to pay a $100,000 penalty and improve its data security practices as part of a consent order that the CFPB issued last month. Without alleging that the company was breached, the CFPB accused Dwolla of overstating the measures it took to protect consumers’ personal information between December 2010 and 2014.
According to the consent order, Dwolla claimed on its website that it met or surpassed industry cybersecurity standards, even though its transactions, servers and data centers did not comply with those standards. The company also failed to live up to claims that it encrypted all sensitive personal information, according to the CFPB.
The consent order, which requires the company to fix its security practices and conduct biannual risk assessments, represented the five-year-old agency’s first step into territory traditionally policed by the Federal Trade Commission (FTC). In August, a federal court affirmed the FTC’s authority to regulate data security in FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015). Some industry observers say the CFPB appears to be stretching its authority over “unfair, deceptive or abusive acts or practices” as the basis for regulating data security. The Dodd-Frank Act gave the CFPB jurisdiction over privacy, but left data security with the FTC.
“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” CFPB Director Richard Cordray said in a prepared statement. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.