Consumer Finance Agency Levies First Data Security Fine

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

March 2 — In its first entry into the increasingly crowded data security federal regulatory enforcement arena, the Consumer Financial Protection Bureau March 2 hit Dwolla Inc. with a $100,000 fine for making false representations about the company's data security practices in violation of the Consumer Finance Protection Act.

According to the no-fault consent order, the CFPB found that Iowa-based Dwolla—an online payment system company—deceived consumers on the company's data security practices and the safety of its online payment system. Dwolla claimed that it's payment system was “safe” and “secure” and claimed that “anyone with an internet connection” could “safely send money to friends or business.”

The action by the CFPB made a “good sized splash” and the agency is “an important new messenger” in cybersecurity enforcement, Jeremy Feigelson, a partner at Debevoise & Plimpton LLP and head of the firm's Cybersecurity & Data Privacy practice, told Bloomberg BNA March 2.

Dwolla agreed to the order “without admitting or denying any of the findings of fact or conclusions of law” contained in the CFPB's allegations.

The Federal Trade Commission has seen its long-standing dominance as the primary privacy and data security federal regulator challenged by the Federal Communications Commission and federal financial regulators.

“There are now so many agencies, state and federal, looking to make impact cases in the cyber space that it's a real challenge for companies to keep up with all the enforcement messaging,” Feigelson said.

Unfulfilled Data Security Promises

The CFPB found that Dwolla's false claims that it's data security practices “exceed industry standards or surpass industry security standards,” was in violation of the Consumer Financial Protection Act, 12 U.S.C. § 5531(a). Specifically, Dwolla failed to use “reasonable and appropriate” means to protect consumer data and it “did not encrypt some sensitive consumer data,” according to a March 2 press release.

“The specific focus on encryption here is clearly a push to corporate America to ramp up its practices in the area,” Feigelson said.

Dwolla must also stop misrepresenting its data security practices and train employees to properly and fix security flaws, the CFPB said.

Dwolla in a March 2 blog post said that it is proud of the platform's data protection and encryption methods. The company said, however, that it “may not have chosen the best language and comparisons to describe” its data security protections.

Dwolla said that it is proud of its “information security program” and its continued “focus on providing a platform to safely move money.”

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

Request Bloomberg Law: Privacy & Data Security