The Consumer Financial Protection Bureau (“CFPB”) has announced its first data security enforcement action. On Wednesday (March 2), the CFPB released a consent order against Dwolla, an online payment platform company, alleging it failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards. As a result, Dwolla must pay out $100,000 in penalties and endeavor to repair its security initiatives.
In a statement released in tandem with news of the charges, CFPB Director Richard Cordray said: “Consumers entrust digital payment companies with significant amounts of sensitive personal information. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
Under the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act (“CFPA”), the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices (“UDAAP”), or that otherwise violate federal consumer financial laws. This consent order is particularly noteworthy because it indicates the CFPB’s belief that the CFPA provides the agency with the authority to police data security practices in the financial space. Financial institutions should prepare for increased CFPB activity in the areas of data security and privacy.