volume 9 • fall 2016
A Cautionary Ta2le Regarding Data Security: Dwolla Inc.
In March 2016, the CFPB  led
its  rst enforcement action
based on data-security practices. The CFPB issued a consent order with Dwolla Inc., a payment net- work that facilitates the transfer of funds from one user to another. In connection with these services, the company collected sensitive personal information and made representations regarding its data-security practices. The CFPB alleged that the company’s “re- presentations regarding its data- security practices ... were likely
to mislead a reasonable consumer into believing that Dwolla had in- corporated reasonable and appro- priate data-security practices when it had not” and thus, the company engaged in deceptive practices in violation of the Consumer Financial Protection Act.
The CFPB alleged that the follow- ing express representations were false and thus deceptive:
• The payment network and transactions on the network were “safe” and “secure”
• The services empowered “anyone with an Internet connection to safely send money to friends or businesses”
• The company’s trans- actions were “safer [than credit cards] and less of a liability for both consumers and merchants”
• The company’s data-security practices “exceed[ed] industry standards,” “surpass[ed] industry security standards,” and “set a new precedent
for the industry for safety and security”
• Information was stored
“in a bank-level hosting and security environment,” encrypted using “the
same standards required by the federal govern- ment,” “securely encrypted and stored,” and encryp- ted both “in transit and
at rest”
• The company was “PCI compliant” and used
“the latest encryption and secure connections”
The CFPB cited the company’s failure to adopt or implement written data-security policies
and procedures to govern the collection, maintenance or storage of consumer personal information. The agency also alleged a failure to conduct adequate risk assess- ments and employee training
on data security.
As part of the remedial conduct mandated by the order, the com- pany agreed to:
• Stop misrepresenting its data-security practices, in- cluding its data storage and encryption capabilities, PCI compliance, and adherence to standards or best practices
• Adopt and implement rea- sonable and appropriate data-security measures
• Improve the safety and security of consumer infor- mation on its networks by:
- Developing and imple- menting a reasonably designed comprehensive data-security plan
- Adopting and implementing reasonable and appropriate data-security measures
- Designating a quali ed person to coordinate and be responsible for the data-security program
- Conducting semi-annual risk assessments and eval- uating and adjusting the program as needed
- Conducting mandatory employee training on the company’s data-security policies, the safe handling of sensitive personal in- formation, and secure soft- ware design, development and testing
- Developing and imple- menting security patches to  x vulnerabilities
- Developing and imple- menting appropriate “identity authentication
at registration and before e ecting a funds transfer”
paybefore.com 71