• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Mar 06, 2016

CFPB’s DWOLLA Enforcement Action: A Warning to Small Financial Institutions

For the first time since its inception, the Consumer Financial Protection Bureau (CFPB) brought the regulatory hammer down on an organization for allegedly misrepresenting the robustness of its data security program to consumers.   Recently, the CFPB targeted Dwolla, Inc., a provider of an online payment platform and agent of financial institutions Veridian Credit Union and Compass Bank.  As of May 2015, Dwolla had approximately 653,000 members and had transferred as much as $5,000,000 per day.  See CFPB Consent Order.

According to the Consent Order, Dwolla persistently represented to customers that its network and transactions were safe and secure.  According to the Consent Order, Dwolla represented that its data-security practices exceeded industry standards and set “a new precedent for the industry for safety and security.”  Interestingly, according to Dwolla’s recent press release the organization had not detected any evidence of a data breach or received any notifications of a breach in its 5 years of operation.  Despite the lack of a breach, the CFPB levied a substantial penalty against Dwolla, including a $100,000.00 fine and implementation of mandatory audits.

In the Dwolla case, the CFPB adopted an extraordinarily aggressive enforcement posture, especially considering it is the agency’s first data security enforcement action.  Further, CFPB’s enforcement came prior to any known breach, and, in fact, without any evidence of a breach.  Thus, the Dwolla case establishes an immediate precedent that CFPB intends to initiate enforcement actions based upon an organization’s representations concerning its data security practices and is willing to mete out serious consequences for an organizational failure to live up to those representations.  It is only logical to speculate that CFPB will pursue many future enforcement actions against organizations that lack data security practices, regardless of the existence of a breach.  Consequently, the Dwolla case is an opening salvo from the CFPB to which financial services organizations should pay close attention.

The Dwolla case is a cautionary tale presenting many lessons.  One lesson to be learned is that where an organization represents to consumers that it has brawny information security practices, those practices must be the reality.  If the representation does not match reality, the CFPB will wield the might of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to bring enforcement actions again financial services organizations for “unfair, deceptive and abusive practices.”  “Puffery” or “mere marketing” are no longer viable defenses.   Review of the Consent Order (see link above), which is essentially a negotiated settlement between the CFPB and Dwolla, demonstrates that the CFPB based the enforcement action on Dwolla’s alleged deceptive practices in violation of the 12 U.S.C. §§ 5531(a) and 5536(a)(1)(B).

According to the Consent Order, Dwolla made the following representations on its website and through direct communications to consumers:

  • its data security practices “exceeded industry standards.”
  • the company “sets a new precedent for industry safety and security.”
  • that “all” information was “securely encrypted and stored” and utilized the same encryption standards as the federal government.
  • it complied with the payment card (Visa/Mastercard/AMEX) standards for data security, commonly referred to as the “PCI DSS”.

 

As explicitly stated in the Consent Order, Dwolla, among other things, “failed” to do the following:

  • adopt and implement data-security policies and procedures reasonable and appropriate for the organization.
  • use appropriate measures to identify reasonably foreseeable security risks.
  • ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks.
  • use encryption technologies to properly safeguard sensitive consumer information.

 

Apparently, prior to 2012, Dwolla’s employees received little to no data security training, including their responsibilities when handling and protecting the security of consumers’ personal information.  In 2012, an independent auditor conducted a penetration test on Dwolla’s systems, which included a spear phishing email attack. 
The Consent Order described the penetration test:

In December 2012, [Dwolla] hired a third party auditor to perform the first penetration test of Dwolla.com. In that test, a phishing e-mail attack was distributed to [Dwolla’s] employees that contained a suspicious URL link.  Nearly half of [Dwolla’s] employees opened the e-mail, and of those, 62% of employees clicked on the URL link.  Of those that clicked the link, 25% of employees further attempted to register on the phishing site and provided a username and password.

These results are disturbing and underscore both the reality of insider threats and the importance of employee training.  Despite the poor test results, the CFPB found that “Dwolla failed to address the results of this test or educate its personnel about the dangers of phishing.”  Then, “Dwolla did not conduct its first mandatory employee data-security training until mid-2014.”

Moreover, according the the Consent Order, despite industry standards requiring encryption of sensitive data, Dwolla did the following:

In numerous instances, [Dwolla] stored, transmitted, or caused to be transmitted the following consumer personal information without encrypting that data:

  1. First and last names;
  2. Mailing addresses;
  3. Dwolla 4-digit PINS;
  4. Social Security numbers;
  5. Bank account information; and
  6. Digital images of driver’s licenses, Social Security cards and utility bills.

It is further stated that Dwolla “also encouraged consumers to submit sensitive information via e-mail in clear text, including Social Security numbers and scans of driver’s licenses, utility bills, and passports, in order to expedite the registration process for new users.” 
These are significant missteps by an organization in the business of handling confidential information and financial transactions.

Another lesson present in the Dwolla case is that the CFPB’s aggressiveness mandates proactivity on the part of organizations to establish, implement, and adhere to, sound information security practices.  For its foibles (and bearing in mind that there is no indication a single consumer was harmed), the CFPB fined Dwolla $100,000.00 and also required Dwolla, among other things, to “establish, implement, and maintain a written, comprehensive data-security plan … reasonably designed to protect the confidentiality, integrity, and availability of sensitive consumer information.”  The CFPB further required Dwolla to “designate a qualified person to coordinate and be accountable for the data-security program.” Additionally, Dwolla must “conduct data-security risk assessments twice annually” as well as “conduct regular, mandatory employee training on a) the Company’s data-security policies and procedures; b) the safe handling of consumers’ sensitive personal information; and c) secure software design, development and testing.”   These broad sanctions will ultimately cost Dwolla much more than an information security plan would have prior to the enforcement action, without even taking into account the damage to its reputation, loss of productivity and cost of legal defense.

In response to the Consent Order, CFPB Director Richard Cordray issued the following statement: “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing.” He further commented, “[i]t is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

The CFPB is sending a clear message that it intends to hold financial services organizations accountable for their representations about data security practices, regardless of breaches or actual harm to customers.   If the CFPB finds an organization’s data security lacking, or its representations too grandiose, it will levy heavy sanctions, including monetary fines, compulsory implementation of a defined information security program, and mandatory ongoing oversight.

It makes sense that organizations should heed the lessons of Dwolla, and proactively institute sound information security policies and procedures.  Many, if not most, organizations are governed by federal and state information security and privacy laws.  These laws apply regardless of whether the organization realizes it or not.  Organizations need the assistance of knowledgeable and skilled information security and privacy attorneys and other experts to help them navigate the regulatory minefields and develop and implement best practices in their organizations.


 

ICKES CALHOUN HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security, privacy and governance.  Information is the DNA of modern organizations and ICKES CALHOUN HOLT is dedicated to advising clients on how to protect its information.  Please contact us to discuss establishing or improving the information governance policies for your organization.

Categories: Consumer Privacy/Security, Data Breach, Data Security, Financial Privacy, Online Privacy Tags: breach, CFPB, Consumer Financial Protection Bureau, consumer information, data security, data security enforcement, data security program, Dodd-Frank Wall Street Reform and Consumer Protection Act, Dwolla, employee data-security training, encryption standards, encryption technologies, mandatory audits, PCI DSS, personal information, phishing e-mail attack, security policies, security risks, security training

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 3 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 5 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Danielle Kuestner
Danielle Kuestner

5 out of 5 stars

posted 1 week ago

I'm a college kid who Mr. Holt assisted. I also have a lot of anxiety and Mr. Holt helped ease the process of what I was going through legally, always reached out, and communicated with me about my case and the progress of it.

Read All 44 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm