The CFPB Takes First Enforcement Action Related to Data Security Practices

Consumer Finance   |   Consumer Finance   |   Cybersecurity and Privacy   |   Technology   |   April 25, 2016
Download Download   
Share Share Page

The Consumer Financial Protection Bureau (CFPB ) has taken its first UDAAP action against a consumer financial service provider related to data security practices. Since its launch in December 2009, Dwolla, Inc. ("Dwolla"), an online payment service company, has collected and stored consumers’ sensitive personal information while providing a platform for online financial transactions.

The CFPB found that from 2010 to 2014, Dwolla misrepresented to consumers that its network and transactions were "safe" and "secure," in violation of the Consumer Financial Protection Act’s prohibition on Unfair and Deceptive or Abusive Acts or Practices (UDAAP). Specifically, the CFPB found that Dwolla misrepresented on its website and in communications, that:

  • It employed "reasonable and appropriate measures to protect data obtained from consumers." Dwolla did not adopt or implement data security policies and procedures, or a written data security plan, until 2012 and 2013 respectively and did not conduct its first comprehensive risk assessment until mid-2014.
  • "100%" of its consumers’ information was "encrypted and stored securely." Dwolla did not, in all instances, encrypt consumers’ Social Security numbers, bank account information, names, addresses, 4-digit PINS, or digital images of driver’s licenses and Social Security cards.
  • Its data security practices "exceed" or "surpass" industry security standards. Dwolla did not conduct its first mandatory employee data security training until more than one year and a half after a penetration test demonstrated such training was needed.
  • Its transactions, servers and data centers were "safer than credit cards" and "PCI compliant." Dwolla’s transactions, servers and data centers were not compliant with standards issued by the Payment Card Industry (PCI) Security Standards Council.

A $100,000 civil money penalty was assessed against Dwolla and the company was ordered to stop misrepresenting its data security practices, fix those practices and train its employees. Dwolla consented to the order without admitting or denying the CFPB’s findings of fact or conclusions of law. However, on the day the order issued, Dwolla announced in a blog post on its website that it never detected any evidence or indicators of a data breach, or received a notification or complaint of such an event.

CFPB Director Richard Cordray said, "With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices." Considering the agency’s aggressive action and heavy reliance on the UDAAP in its enforcement orders, the Dwolla action signifies representations about data security are now on the CFPB’s radar as well.  

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.