The Consumer Financial Protection Bureau (CFPB) has announced its first data security enforcement action. Since the 1990s, the Federal Trade Commission (FTC) has primarily taken on the role as the de facto federal regulator of data security issues. The FTC has relied on its Section 5 authority to prohibit companies from engaging in unfair and deceptive acts and practices (UDAAP). The CFPB, however, has been empowered with enhanced authority to bring enforcement actions against companies engaged in UDAAP. The Dodd-Frank Act excludes from the definition of "enumerated consumer laws" subject to the CFPB's jurisdiction the provisions of Gramm-Leach-Bliley which deal with data security. The absence of any prior enforcement action, much less any emphasis on data security on the CFPB's website, has suggested that the CFPB might defer to the federal banking agencies and the FTC when it comes to investigating and taking enforcement actions related to data security. Although the CFPB lacks enforcement authority with respect to the data security provisions of Gramm-Leach-Bliley, the CFPB has apparently decided that it can use its UDAAP authority with respect to data security matters. That significantly ups the ante for large banks and non-banks subject to the CFPB's enforcement jurisdiction.

The CFPB’s target in this action is Dwolla, Inc. (“Dwolla”), a company that operates an online payment system, which uses consumers’ personal information to complete financial transactions. Focusing on the deception prong under UDAAP, the CFPB alleged that the company failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS). However, the CFPB alleged that Dwolla failed to:

• Adopt and implement reasonable and appropriate data security policies and procedures;
• Use appropriate measures to identify reasonably foreseeable security risks;
• Ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
• Use encryption technologies to properly safeguard sensitive consumer information; and
• Practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.

Dwolla has agreed to a settlement to resolve the CFPB data security allegations. Under the terms of the consent order, Dwolla must cease making any misrepresentations about its data security practices; implement comprehensive data security measures and policies, which must include designating a qualified person to coordinate and be accountable for the company’s data-security program as well as conducting risk assessments and audits; provide data security training to employees; fix any security weaknesses found in its web and mobile applications; securely store and transmit consumer data; and pay a $100,000 civil money penalty.

In the CFPB press release, CFPB Director Richard Cordray noted that, “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.” Financial institutions should prepare for increased CFPB activity in the areas of data security and privacy, not only under the CFPB’s UDAAP authority, but we expect to see enforcement actions in the near future relating to the CFPB’s enforcement of the Gramm-Leach-Bliley Act, which requires financial institutions to protect the privacy of consumer’s financial information.