The Consumer Financial Protection Bureau stepped into the cyber security enforcement realm on Wednesday, announcing its first enforcement action related to the adequacy of a company’s data security practices.
Dwolla, an e-commerce start up that enables its users to send money to one another without paying banking or transfer fees, agreed to pay a $100,000 fine and submit to a risk assessment of its data security practices twice per year.
The company said in a blog post that it has never experienced a data breach in its five years of operations, but the consent order states that Dwolla did not take “reasonable and appropriate measures” to protect consumer information, including not encrypting all of its “sensitive” consumer information in its possession.
“This settlement is the CFPB’s warning shot to the industry as to its expectations,” said Andrew Sandler, a financial services lawyer at BuckleySandler, where he is chair and executive partner.
The fact that the company did not experience a data breach is not surprising, said Boris Segalis, the U.S. co-chair of Norton Rose Fulbright’s data privacy and cybersecurity practice.
Across the board, from the Federal Trade Commission to the Securities and Exchange Commission, and now the CFPB, Segalis said agencies are shifting focus from how companies respond to a breach to looking at companies’ preventative policies against a data breach.
“They’re really focusing on information security and not necessarily breach enforcement,” he said.
In the Dwolla case, the CFPB cited its authority under the Dodd-Frank Act to protect consumers against deceptive practices and false representations. The consent decree suggests the company made a series of misrepresentations including that its security “exceeds” industry standards, and that it was compliant with a set of global standards adopted by large credit card companies.
In a statement, Dwolla said it has “never been more proud of our data security practices” and that the investigation “covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012.”
“The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices,” the statement continued.
Rajesh De, who leads Mayer Brown’s cyber security practice and is the former general counsel to the National Security Administration, said the case highlights the standards that regulators are expecting from companies with regards to data security.
“Because there are no mandatory [national] data security standards ... regulators will often look to companies’ representations about their security standards,” said De.
He added, “I think the consent order is a useful data point to see what regulators are focusing on,” such as a written security plan, risk assessments and other points.
Sandler said that when the CFPB launches a new initiative, such as data security enforcement, it generally increases the severity of the fines and the terms of a settlement with each successive case — the idea being that companies will heed the prescriptions of earlier settlements.
Here, the $100,000 fine may be significant for Dwolla, whose financial statements are not yet public. Founded in 2009, the company has raised $32.4 million from Andreesen Horowitz and other investors. As of May 2015, it had 653,000 users and had transferred as much as $5,000,000 per day, according to the settlement.
Rena Mears, managing director of BuckleySandler’s privacy, cyber security and data security, said that the real cost may be in conducting the bi-annual risk assessment and acquiring a person with the skill set to ensure the company’s data policies are adequate, which will likely cost low six-figures.
Margo Tank, also with BuckleySandler’s privacy group, said the fact that the CFPB’s consent order mandates that Dwolla’s board review data security plans and procedures, and authorize any actions, is an attempt to create accountability.
“They’re really bringing the responsibility to the top of the company because this has become pandemic,” said Tank.
Sandler said that CFPB examiners are spending an increasing amount of time scrutinizing cyber security policies; meanwhile, Segalis said that SEC examiners are also spending more time reviewing companies policies.
“This settlement is an indicator that cyber security enforcement is about to hit a new and significantly more aggressive level, across the enforcement agencies that believe they have jurisdiction,” said Sandler.
(UPDATED: This post has been clarified to reflect that Sandler’s core competency is financial services regulation and litigation.)