The Consumer Fraud Protection Bureau issued its first enforcement action for misrepresenting data security practices. In the simplest terms possible, the CFPB has made it clear that if companies are going to ‘talk the talk’ about data security practices, they also have to ‘walk the walk.’ In addition to a $100,000 fine, the CFPB ordered online payment systems operator Dwolla to take immediate steps to ramp up its security practices on many fronts.
Though hitherto never exercised in the data security context, the CFPB derives its authority to regulate from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Dodd-Frank provides the CFPB power to take action against institutions engaged in “unfair, deceptive or abusive acts or practices.” Signalling data security practices are within their jurisdiction and in their sights, the CFPB’s scathing press release about Dwolla’s deceptive practices indicates further enforcement is sure to come.
Several facts make this action and especially interesting and relevant to data security planning and practices:
1. There was no data breach. Historically, any regulation or fine was a direct result of some form of breach, that leads a regulator to inquire about company practices. This is an enforcement action without any such pre-cursor, and means that any company with public-facing statements about data security practices can be subject to scrutiny.
2. Dwolla’s policies made explicit statements that their practices “exceed[ed]” or “surpass[ed]” industry data security practices, including PCI-DSS. On examination, Dwolla’s practices fell far short of anything even beginning to resemble sound data security practices, and included misrepresentations about the amount of data encrypted, security implemented, and transmission of sensitive data as clear text.
3. Dwolla management now has an ongoing reporting requirement to the CFPB for a period of five (5) years about its security practices and posture. It also established an affirmative obligation of the Dwolla Board of Directors to review all “plans, reports, programs, policies, and procedures,” before these documents are submitted to the CFPB. Obliging the Board is an overt demand for responsibility and accountability on CFPB’s part, and is likely to be part of any future enforcement action.
This is a blaring wake-up call to companies housing, collecting, or processing personal or financial data. In the words of the CFPB, “deception about security and security practices is illegal.” Review, revision, and auditing of security policies is a must.
Government regulation of data security is on the rise. And there is the possibility of regulatory scrutiny from multiple federal and state agencies with often overlapping and unclear jurisdictional boundaries.
These are necessary and sufficient reasons for a company’s data security practices and planning to be performed in a legally privileged context and overseen by experienced attorneys who are themselves information security professionals.