On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) entered into a consent order with Dwolla, Inc. (“Dwolla”) that penalized the company for engaging in deceptive acts related to the company’s data security practices.  The consent order is the CFPB’s first data security action. 

Dwolla operates a payment network that allows a consumer with a Dwolla account (“user”) to transfer money to a merchant or another consumer who also has a Dwolla account.  To become a user, a consumer must submit his name, address, date of birth, telephone number, and Social Security number to Dwolla.  A user also has the option to link a bank account to his Dwolla account.  To do that, the user must submit his bank account number and his routing number.  Dwolla stores the sensitive personal information that consumers submit.

According to the CFPB, from January 2011 to March 2014, Dwolla represented to consumers that the company used reasonable and appropriate measures to protect user data from unauthorized access.  For example, Dwolla related that it encrypted sensitive user data while at rest.  Additionally, the company represented that its servers and data centers, and the transactions on its payment network, complied with the standards issued by the Payment Card Industry Security Standards Council.  The CFPB, however, concluded that Dwolla failed to use reasonable and appropriate measures to protect user data from unauthorized access.  Among other things, the CFPB determined that Dwolla specifically failed to do the following:

1. adopt and implement data security policies and procedures reasonable and appropriate for the organization;
2. use appropriate measures to identify reasonably foreseeable security risks;
3. ensure that employees who have access to or handle consumer information receive adequate training and guidance about security risks;
4. use encryption technologies to properly safeguard sensitive consumer information; and
5. practice secure software development, particularly with regard to consumer-facing applications developed at an affiliated website, Dwollalabs.

Additionally, the CFPB determined that the company’s servers and data centers and the transactions on its payment network were not compliant with the standards issued by the Payment Card Industry Security Standards Council.

The CFPB fined Dwolla $100,000 for the company’s data security failures.  In addition to the fine, the CFPB required Dwolla to implement the following measures, among others, to increase the security of user data: (1) establish and implement a written, comprehensive data security plan with appropriate safeguards for the sensitivity of personal information Dwolla collects and the nature, scope, and complexity of its activities; (2) implement reasonable data security policies and procedures; (3) conduct risk assessments twice annually; (4) conduct regular, mandatory employee training; (5) implement a method of customer identity authentication; and (6) obtain an annual data security audit from an independent third party.

The Consent Order will remain in effect for five years.  A copy of the Consent Order is available here.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, bryoung@kslaw.com.