PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

CFPB Targets Online Payment Platform in First Enforcement Action on Cybersecurity

Donald J. Mosher by Donald J. Mosher
April 12, 2016
in Industry Opinions
0

An Illustration of a Credit Card with the Card being the flag of South Africa

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

By Schulte Roth & Zabel attorneys Donald J. Mosher, Lisa A. Prager, Michael L. Yaeger, Melissa G.R. Goldstein and Kimberly G. Monty.

The Consumer Financial Protection Bureau (“CFPB”) broke new ground last week with its Consent Order against Dwolla Inc. (“Dwolla”), an online payment platform, for deceiving consumers about its information security practices.

The Consent Order alleges that Dwolla made public statements regarding the efficacy of its data security system and failed to fulfill those promises. The enforcement action is especially striking because the CFPB imposed a $100,000 civil monetary penalty on Dwolla despite the lack of any evidence that the payment processor experienced a data breach or any kind of cybersecurity incident, and also because the CFPB imposed significant — and expensive — new compliance obligations beyond what other federal regulators have demanded in similar situations. Most notably, the Consent Order provided that Dwolla must perform regular risk assessments and retain an independent third party to perform an annual cybersecurity audit for the next five years.

In effect, the Consent Order warns entities subject to CFPB regulation to give particular attention to any representations they make on a website or in direct communications with consumers regarding information security. Entities seeking to evaluate the accuracy of any such representations or to improve their own information security practices should take note of the CFPB’s allegations as well as the corrective action that the CFPB imposed on Dwolla.

The CFPB’s Allegations
The Consent Order alleges that Dwolla made materially deceptive statements to consumers when Dwolla represented, among other things, that it: (1) complied with the Data Security Standard promulgated by the Payment Card Industry (“PCI”) Security Standards Council; (2) “encrypted and stored securely” “100%” of consumers’ information and “all sensitive information that exists on its servers,” including both “data in transit and at rest”; and (3) “exceed[ed] industry standards” for information security.

According to the CFPB, Dwolla’s transactions, servers and data centers were not, in fact, PCI compliant; Dwolla did not “encrypt all sensitive consumer information in its possession”; and Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.” To the contrary,”[i]n numerous instances, [Dwolla] stored, transmitted, or caused to be transmitted … without encrypting … : “first and last names”; “mailing addresses”; “Dwolla 4-digit PINS”; “Social Security numbers”; “[b]ank account information”; and “digital images of driver’s licenses, Social Security cards and utility bills.”

The CFPB also criticized Dwolla for failing to take action or educate its employees after they performed poorly in a penetration test that simulated an email phishing attack — that is, an attack in which employees were sent deceptive emails designed to trick them into clicking on a suspicious link. In fact, the CFPB noted with disapproval that, although the penetration test was conducted in 2012, “Dwolla did not conduct its first mandatory employee data-security training until mid-2014.”

Interestingly, however, one thing the CFPB did not claim was that Dwolla’s failure to maintain adequate data security measures to protect consumer information was an “unfair” practice. Rather, the CFPB based its action entirely on Dwolla’s alleged failure to keep its promises regarding information security.

The Remedy
The Consent Order restrains and enjoins Dwolla from making misrepresentations, both expressly or by implication, regarding its data security practices, including its encryption practices or PCI compliance, and requires Dwolla to pay a $100,000 civil penalty. The Consent Order also imposes many other requirements on Dwolla, including that the company:

•

Tags: Compliance and RegulationFraud Risk and Analytics
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    eCommerce On Social Media, social commerce

    The Rise of Social Commerce and Social Payments

    February 3, 2023
    Electroneum AnyTask; ETN Crypto, sales enablement

    Ethical Financial Selling: The Role of Compliance Technology and Sales Enablement

    February 2, 2023
    direct deposit

    Nacha Launches Campaign to Reach Millennials on the Benefits of Direct Deposit

    February 1, 2023
    Equinix Helps UK-Based Payments Provider Enable Faster, More Reliable Payments Processing

    Equinix Helps UK-Based Payments Provider Enable Faster, More Reliable Payments Processing

    January 31, 2023
    credit card tumbling

    How to Detect, and Prevent, Credit Card Tumbling

    January 30, 2023
    Why Businesses Need to Adopt Real-Time Payments as a Competitive Differentiator

    Why Businesses Need to Adopt Real-Time Payments as a Competitive Differentiator

    January 27, 2023
    faster payments

    Faster Payments Are Set to Revolutionize Modern Digital Payments

    January 26, 2023
    How AI can Help Manage Payments Risk in 2023

    How AI can Help Manage Payments Risk in 2023

    January 25, 2023

    • Advertise With Us
    • About Us
    • Terms of Use
    • Privacy Policy
    • Subscribe
    ADVERTISEMENT
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • News
    • Resources

    © 2022 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download the Equinix report - Dojo Delivers Fast, Reliable and Secure Card Payments to Businesses on Platform Equinix