The Consumer Financial Protection Bureau (CFPB) has announced its first data security enforcement action.  Since the 1990s, the Federal Trade Commission (FTC) has primarily taken on the role as the de facto federal regulator of data security issues.  The FTC has relied on its Section 5 authority to prohibit companies from engaging in unfair and deceptive acts and practices (UDAAP).  The CFPB, however, has been empowered with enhanced authority to bring enforcement actions against companies engaged in UDAAP.  The Dodd-Frank Act excludes from the definition of "enumerated consumer laws" subject to the CFPB's jurisdiction the provisions of Gramm-Leach-Bliley which deal with data security.  The absence of any prior enforcement action, much less any emphasis on data security on the CFPB's website, has suggested that the CFPB might defer to the federal banking agencies and the FTC when it comes to investigating and taking enforcement actions related to data security.  Although the CFPB lacks enforcement authority with respect to the data security provisions of Gramm-Leach-Bliley, the CFPB has apparently decided that it can use its UDAAP authority with respect to data security matters.  That significantly ups the ante for large banks and non-banks subject to the CFPB's enforcement jurisdiction.

The CFPB’s target in this action is Dwolla, Inc. (“Dwolla”), a company that operates an online payment system, which uses consumers’ personal information to complete financial transactions. Focusing on the deception prong under UDAAP, the CFPB alleged that the company failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS).  However, the CFPB alleged that Dwolla failed to:

  • Adopt and implement reasonable and appropriate data security policies and procedures;

  • Use appropriate measures to identify reasonably foreseeable security risks;

  • Ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;

  • Use encryption technologies to properly safeguard sensitive consumer information; and

  • Practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.

Dwolla has agreed to a settlement to resolve the CFPB data security allegations.  Under the terms of the consent order, Dwolla must cease making any misrepresentations about its data security practices; implement comprehensive data security measures and policies, which must include designating a qualified person to coordinate and be accountable for the company’s data-security program as well as conducting risk assessments and audits; provide data security training to employees; fix any security weaknesses found in its web and mobile applications; securely store and transmit consumer data; and pay a $100,000 civil money penalty.

In the CFPB press release, CFPB Director Richard Cordray noted that, “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”  Financial institutions should prepare for increased CFPB activity in the areas of data security and privacy, not only under the CFPB’s UDAAP authority, but we expect to see enforcement actions in the near future relating to the CFPB's enforcement of the privacy provisions of the Gramm-Leach-Bliley Act.

On March 18, 2016, Ballard Spahr attorneys will hold a webinar entitled "The CFPB's First Data Security Enforcement Action – Its Significance for Banks and Non-Banks" from 12 p.m. to 1 p.m. ET. The webinar registration form is available here.

Attorneys in Ballard Spahr's Consumer Financial Services Group monitor every CFPB action and keep clients informed with our award-winning blog, CFPB Monitor, which focuses exclusively on important CFPB developments. We assist clients in handling CFPB matters and scrutiny, including the facilitation of engagement with the CFPB to discuss rulemaking, preparation for CFPB exams, assistance in responding to CFPB civil investigative demands, and defense in litigation when necessary.

Members of Ballard Spahr’s Privacy and Data Security Group regularly advise financial institutions on compliance with consumer financial services laws related to privacy and data security issues.  We assist to evaluate, operationalize, and monitor new and existing products and services to ensure that financial institutions are regularly meeting their privacy and data security obligations in a rapidly evolving regulatory landscape.  We regularly counsel financial institutions when engaging with federal agencies, such as the Consumer Financial Protection Bureau and the Federal Trade Commission. 


Copyright © 2016 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.