Caveat Vendor
CFPB’s First Foray Into Data Security Makes $100,000 Splash
March 04, 2016
Thomas Brown and Molly Swartz
On March 2, the Consumer Financial Protection Bureau (the “Bureau”) announced enforcement action against online payment processor, Dwolla Inc. (“Dwolla”). This is the Bureau’s first enforcement action related to data security pursuant to its authority to prohibit unfair, deceptive, and abusive acts and practices (“UDAAP”). Finding that Dwolla had deceived consumers about its data security practices, the Bureau ordered Dwolla to pay $100,000 in civil penalties, to stop misrepresenting its data security practices, to train employees in data security polices, and to fix existing security flaws.
This action represents an extreme departure from previous Federal Trade Commission (“FTC”) actions involving unfair or deceptive claims. While the FTC has ordered companies to revise and restructure their existing data security programs, they have not imposed substantial financial penalties in the absence of consumer harm. In the FTC’s recent action against Wyndham Worldwide Corporation, for example, the FTC alleged that Wyndham’s security practices exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches. Wyndham’s practices compromised more than $10.6 million in fraud loss, and resulted in unreimbursed fraudulent charges, as well as lost access to funds or credit. In response, the FTC required the company to establish a comprehensive information security program to protect cardholder data, conduct annual information security audits, and to safeguard servers. Yet even though Wyndham’s practices resulted in tangible injury to consumers, the FTC did not levy any financial penalty.