For the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.

The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true.
Continue Reading There’s a new privacy boss in town