CFPB Enters the Data Security Enforcement Arena
A new regulator has joined the list of entities – including the FTC, the SEC, and State Attorneys General – that have brought enforcement proceedings against companies with respect to their data-security practices. In March 2016, the Consumer Financial Protection Bureau (“CFPB”) announced that it had settled an enforcement action with an Iowa-based digital-payments processing company, Dwolla, Inc. (the “Company”), related to allegedly deceptive statements regarding the Company’s data-security practices. Established pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the CFPB has regulatory authority related to the provision of certain consumer financial products and services. The CFPB’s first foray into this area signals to providers of consumer financial products and services that regulatory scrutiny of their data security practices may be increasing.
Inadequate Data Security Practices and Misleading Representations
The CFPB brought its first data-security enforcement action pursuant to Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, which broadly prohibit unfair or deceptive practices in connection with offering or providing consumer financial products and services. In the consent order accompanying the settlement, the CFPB alleged that the Company falsely represented to its customers that the Company employed reasonable and appropriate measures to protect customers’ sensitive personal information.
Such sensitive personal information included consumer names, addresses, birth dates, telephone numbers, Social Security numbers, bank account and routing numbers, usernames and passwords, and unique 4-digit PIN numbers associated with consumer accounts.
The CFPB alleged that the Company made a number of misleading representations to consumers with respect to its data-security practices.
These allegedly misleading representations included statements on the Company’s website or in direct communications with consumers that:
The CFPB concluded that, in fact, the Company failed to employ reasonable and appropriate measures to protect consumer data. The Bureau found that (i) the Company’s data security practices did not exceed or surpass industry standards, (ii) the Company did not encrypt all sensitive consumer information in transit and storage, and (iii) the Company’s transactions, servers, and data centers were not PCI-compliant.
The Company’s network and transactions were “safe,” “secure,” and safer than credit-card transactions;
The Company’s data-security standards exceeded or surpassed industry standards;
All sensitive customer information was securely encrypted in transit and storage; and
The Company’s transactions, servers, and data centers were compliant with Payment Card Industry (“PCI”) Security Standards.
In light of these findings, the Company agreed to pay a $100,000 civil penalty. The Company also agreed to refrain from misrepresenting its data-security practices and to comply with certain ongoing conduct and reporting requirements, including:
Adopting and implementing a written, comprehensive data-security plan;
Designating a qualified person to coordinate and be accountable for the data-security program;
Conducting periodic data-security risk assessments to identify and respond to internal and external risks to sensitive customer information;
Providing regular, mandatory employee training regarding data security;
Obtaining an annual data-security audit from an independent third-party;
Submitting annual data-security audit reports and other periodic compliance progress reports to the CFPB Enforcement Director; and
Complying with certain record-keeping requirements regarding the Company’s data security practices.
The CFPB’s first data-security enforcement action offers a number of lessons for providers of consumer financial products and services and other companies. Those lessons include:
Companies that collect and store sensitive customer information should consider taking appropriate steps to secure that information. The consent order in this case suggests a number of such steps, including (i) adopting and implementing a written, comprehensive data security plan; (ii) conducting periodic risk assessments; (iii) designating a person responsible for the company’s data security policies and practices; and (iv) complying with industry standards for the protection of sensitive personal information, including the use of encryption.
Companies should consider training employees to properly identify sensitive customer information and associated risks. Such employee training may start with the HR department as discussed previously in this article.
As new governmental agencies review your company’s data security and privacy practices, it is increasingly important that your attorney understands this ever-changing legal landscape. Legal counsel can play an important role in ensuring that your company complies with data security and privacy laws and regulations.
Ice Miller advises clients on a wide spectrum of data security and privacy issues. Albert Lin
, a business litigator, represents clients in matters of government regulatory enforcement and served as General Counsel to Ohio Attorney General Richard Cordray, who is now the Director of the CFPB. Lin can be reached at firstname.lastname@example.org
or (614) 462-4939. Eric McKeown
, a former software developer, is a member of Ice Miller’s Data Security & Privacy Practice and represents clients in government regulatory enforcement matters. McKeown can be reached at email@example.com
or (317) 236-2236.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
In connection with the consent order, the Company neither admitted nor denied any of the Bureau’s non-jurisdictional findings of fact or conclusions of law.