Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Commercial Lawe-Commerce Law & StrategyFeaturesKickerLitigationLJN NewslettersNewsRegulationSectionsTechnology Media and TelecomTopics

CFPB Takes Step Into Cybersecurity Regulation

By C. Ryan Barber
April 01, 2016

The Consumer Financial Protection Bureau (CFPB) has fired a shot across the bow of the burgeoning online-payment industry, taking an enforcement action this week that marked the agency's first foray into regulating cybersecurity.

Dwolla Inc., a Des Moines-based digital payment startup, agreed to pay a $100,000 penalty and improve its data security practices as part of a consent order that the bureau issued last month. Without alleging that the company was breached, the bureau accused Dwolla of overstating the measures it took to protect consumers' personal information between December 2010 and 2014.

The consent order, which requires the company to fix its security practices and conduct biannual risk assessments, represented the five-year-old agency's first step into territory traditionally policed by the Federal Trade Commission (FTC). In August, a federal court affirmed the FTC's authority to regulate cybersecurity in FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015).

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” CFPB Director Richard Cordray said in a prepared statement. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

Dwolla, which had about 650,000 customers as of May 2015, did not admit or deny the allegations and agreed to a relatively small penalty for the CFPB, according to the consent order.

“The CFPB takes a very expansive view of its jurisdiction,” says Andrew Sandler, chairman and executive partner of BuckleySandler. “This settlement is the CFPB's announcement that it intends to hold companies responsible for ensuring there are policies and protections around consumer data.”

John Culhane, a partner at Ballard Spahr, says the bureau appears to be stretching its authority over “unfair, deceptive or abusive acts or practices” to regulate cybersecurity. The Dodd-Frank Act gave the bureau jurisdiction over privacy but left data security with the FTC and prudential regulators, he says.

“It's their first step in this area, and they're really pushing the boundaries of their authority,” says Culhane. “It sure looks like they're using their [unfair acts] authority to make an end run around that restriction.”

With its opening salvo in the data security domain, the bureau appears to have gone for a quick and clean resolution that was reached without any significant challenge to its jurisdiction.

“The CFPB has a well-developed practice to initiate new enforcement initiatives by announcing an initial consent decree with smaller organizations that might not have the same resources to defend themselves, and then proceeding from there,” Sandler says.

According to the consent order, Dwolla, which was represented in the matter by Wilmer Cutler Pickering Hale & Dorr, claimed on its website that it met or surpassed industry security standards, even though its transactions, servers and data centers did not comply with those standards. The company also failed to live up to claims that it encrypted all sensitive personal information, according to the bureau.

“It's not a breach situation that has instituted this consent order. That should get companies' notice, that the CFPB is starting to examine and look at what companies are saying publicly,” says BuckleySandler partner Margo Tank.

C. Ryan Barber writes for our ALM sibling The National Law Journal. He can be reached at [email protected], and on Twitter @cryanbarber.

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.