Dwolla, Inc. (“Dwolla”) is the first company to receive a Consent Order from the Consumer Financial Protection Bureau (“CFPB”) for flawed data security practices. The company operates as an online money transfer platform and was found to be in violation of the Consumer Protection Act, prohibiting unfair, deceptive or abusive acts concerning a consumer financial product or service. The Order serves to re-iterate the CFPB’s decision to serve as a watchdog on data security issues, as well as its intention to track companies before a breach occurs. The Order can also be read as a guideline to companies as to the type of data security practices and policies that are considered important to the CPFB.
As a response, Dwolla claimed that its transactions not only surpassed the safety that credit card transactions offered but also exceeded industry security standards, and boasted to “set a new precedent for industry for safety and security.”
During its investigation, the CFPB found that the following:
- Dwolla did not have a written plan detailing data security policies and procedures;
- The company also failed to regularly conduct internal risk assessments in order to detect any future breaches in security.
- Employees were not adequately trained on data security.
- Sensitive consumer information that was stored and transmitted did not contain any encryption.
In addition to being fined $100,000, Dwolla has been ordered to apply a new set of procedures and policies to safeguard consumers’ information. To read more, please click here.
A copy of the Consent Order can be found here.