On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) became the latest federal agency to enter the data security and privacy enforcement arena, assessing a $100,000 penalty against Dwolla, Inc. (Dwolla) for misrepresentations the company made on its website and to customers lauding the sophistication of its data privacy capabilities. Specifically, the company claimed – among other things – that its data security practices exceeded or surpassed industry standards and that 100% of consumer info was encrypted and stored securely.
This publication details the significance of the CFPB’s action. First, Dwolla was penalized in the absence of any consumer complaint or breach. In addition, more than simply address the company’s misrepresentations, which violate the Consumer Financial Protection Act’s “unfair, deceptive, and abusive” standard, the CFPB required that the company put in place substantial compliance measures intended to address Dwolla’s insufficient data security procedures. As this alert highlights, entities subject to CFPB supervision should take careful note of the broad implications of this Order, which appears to open a significant additional area of inquiry in CFPB examinations.