The Consumer Financial Protection Bureau (CFPB) put on its gloves and stepped into the cybersecurity ring with a consent order with payment processor Dwolla. At first glance, the thought was, “Oh great, another agency with another enforcement action. Nothing new here.” But a closer look shows a few interesting things starting to appear.
Dwolla Consent Order
Let’s start with a look at the consent order. It gives some facts about Dwolla:
- The company offers a payment processing platform.
- Customers make payments via the web browser or mobile app.
- The company has about 650,000 customers.
- They transfer up to $5 million a day.
Setting up an account and using the service requires customers to provide Dwolla with several pieces of information, some of which customers probably want to be kept confidential. The information includes:
- Date of Birth
- Social Security Number
- Phone Number
- Bank Account Number
- Routing Number
- 4-Digit PIN
Sensitive information to say the least. But Dwolla understands this, and they reassure customers that their information issafe. Specifically, Dwolla boasts that its data security practices: “exceeds industry standards” and “sets a new precedent for the industry for safety and security.” On top of that, Dwolla says they encrypt data “utilizing the same standards required by the federal government.” Page 6 of the consent order has more quotes from Dwolla about their top notch data security measures.
To a normal customer, that kind of protection sounds pretty good, right? Those are solid reasons to become a Dwolla user. However, the CFPB found these claims to be false and deceptive. Specifically, the CFPB alleges that Dwolla failed to:
- Adopt and implement reasonable data security policies and procedures,
- Reasonably identify potential security risks,
- Provide adequate training to employees handling customer information,
- Use encryption to protect customer information, and
- Deploy secure software for customer-facing applications.
A few issues became apparent after the Dwolla enforcement action:
More Cybersecurity Enforcement: Ok, this one is easy. Again, the first thought was, “Here we go again. Yet another regulatory agency is joining the mix in cybersecurity.” If your company is regulated by the CFPB, you have another watchdog to worry about.
Pre-Breach Enforcement: The next thought reading this story was, “Where is the breach?”There is no news of Dwolla suffering a security breach. Are we seeing a change of focus from post-breach to pre-breach enforcement? It feels like a trend might be starting. The FTC brought an enforcement action against ASUS for their poor cybersecurity practices rather than a breach actually occurring. The takeaway here may be that big, headline-grabbing breaches are no longer the prerequisite for enforcement actions.
Enforcement Targets: So, if there was no breach, how did Dwolla become a target for investigation and enforcement? Did the CFPB receive an insider tip? Did they get a customer complaint? Was it a simple review of Dwolla’s privacy claims? With no clarity here, companies under CFPB regulation should review their privacy and data security practices.
The biggest takeaway is that cybersecurity enforcement can come from anywhere and at any time. It would behoove all companies to proactively address their privacy and data security practices by implementing reasonable data security policies, training their employees, and adopting best practices for protecting customer data (i.e. encrypting sensitive customer information).