This week, the CFPB made its first foray into the data
privacy arena by entering into a Consent Order with online payment processor,
Dwolla. Inc. via an administrative proceeding.
The Consent Order sends a clear message across the consumer financial
services arena that the CFPB will use its UDAAP umbrella to extend its reach
and that no consumer harm is required for the CFPB to flex its muscle.
According to the CFPB, it took action because Dwolla “deceived
consumers about its data security practices and the safety of its online
payment system.” Without admitting any
wrongdoing, the Consent Order includes findings that Dwolla collected and
stored consumers’ private information and provided a platform for financial
transactions. According to the findings,
Dwolla represented that it maintained “reasonable and appropriate measures to
protect data obtained from consumers from unauthorized access.” However, the CFPB concluded that Dwolla in
fact did not take reasonable and appropriate measured to protect consumer data.
Specifically, the Order finds that, among other things:
·
For a significant period of time, Dwolla did not
adopt or implement reasonable and appropriate data-security policies and
procedures to govern the collection, maintenance or storage of consumers’
personal information;
·
For a significant period of time, Dwolla failed
to conduct adequate regular risk assessments to identify reasonably foreseeable
internal and external risks to information and to assess the safeguards in
place to control these risks;
·
For a significant period of time, Dwolla did not
provide adequate employee training as to the handling and protection of
consumers’ personal information;
·
For a significant period of time, Dwolla transmitted
consumers’ personal information without encrypting it; and
·
For a significant period of time, Dwolla did not
adequately manage its vendors as to data security.
Pursuant to the Consent Order, Dwolla is required, to the extent
it has not done so already:
·
Accurately represent in its marketing,
advertising, promotion or administration of its electronic payment networks the
data security practices implemented by Dwolla;
·
Implement a comprehensive Written Information
Security Plan which mirrors the requirements of GLBA’s Safeguard Rules and
which:
o
Designates a qualified person to coordinate its
data security program;
o
Identifies reasonably foreseeable internal and
external risks to the security and confidentiality of consumer nonpublic information
and assess the sufficiency of the institution’s
safeguard in place to control those risks, including risks in areas of
operation specifically:
§
Employee training and management; and
§
Confidentiality and integrity of Dwolla’s
network systems or apps and storage systems;
o
Implement safeguards to manage the identified
risks and regularly test and monitor risks;
o
Develop, implement and maintain reasonable procedures
for the selection and retention of service vendors capable of maintaining
security practices consistent with the Consent Order; and
o
Evaluate and adjust the data security program in
light of the results of the risk assessments and monitoring.
·
Retain a third party independent auditor to conduct
an annual data-security audit of Dwolla’s data security practices; and
·
Pay a civil monetary penalty of $100,000.00.
Several things make this order significant and banks and
nonbanks alike should take note:
·
Prior to this action, there had been no
indication by the CFPB, either through its website or other publications, that
it was focused on data security leading many to assume they would defer to the
FTC and other regulators on issues of data privacy;
·
Gramm Leach Bliley and its Safeguard Rules (which
provide for the protection of consumer nonpublic information by financial
service providers) are not among the
enumerated consumer protection statutes over which the CFPB has jurisdiction;
·
The Consent Order reflects the CFPB’s position
that its UDAAP (unfair and deceptive acts) umbrella liability is expansive enough
to take on data security issues; and
·
The Consent Order makes no finding of a data
breach or some other sort of consumer or injury.
Banks and nonbanks alike should pay close attention to the
Dwolla Order and expect to see the CFPB continue take expansive views of its
authority to regulate.
No comments:
Post a Comment