Wading into the foray of enforcement of data security practices, the Consumer Financial Protection Bureau (CFPB) yesterday hit Dwolla Inc., an online payment processor with a $100,000 fine for a myriad of violations of the Consumer Financial Protection Act of 2010.
Specifically, the CFPB, in a scathing Order, outlined in detail the facts that Dwolla, who at the time of the Order has approximately 650,000 users and was transferring up to five million dollars per day, misrepresented the level of its security practices to consumers from 2011 to 2014. The allegations include falsely claiming that its security practices “exceeded” or “surpassed” industry standards, falsely claiming that consumers’ information was securely encrypted and stored, both in transit and at rest, that its platform was safer than credit cards, and that it stored consumers’ information “in a bank-level hosting and security environment,” and “encrypts data using the same standards required by the federal government,” all of which were false according to the CFPB.
In fact, the CFPB states that Dwolla failed to adopt security policies, failed to adopt a written information security plan, failed to implement a risk assessment, failed to train employees, and even encouraged consumers to submit sensitive information, including Social Security numbers via non-encrypted email.
In addition to paying the $100,000 fine, the CFPB is requiring Dwolla to stop misrepresenting its data security practices, train its employees, fix the weaknesses on its web and mobile applications, and implement security practices. Another federal agency to keep an eye on to enforce data security practices of financial institutions.