March 8, 2016

Cybersecurity and Data Privacy: CFPB Takes Unprecedented Action Against Company (3/16)

+ Follow Contact

Send

Embed

A new regulatory authority has entered the field of data security: the relatively new Consumer Financial Protection Board (CFPB). On March 2, the CFPB announced that it had reached a consent order with an Iowa-based company as a result of that company’s data security practices. The circumstances giving rise to this consent order were unique, especially given that no consumer data was actually exposed. In fact, no data breach even occurred.

Instead, the CFPB brought charges against the company solely because it found that the company’s representations about its security measures were false. Specifically, the company had represented in advertisements and elsewhere that its security practices "set[] a new precedent for the industry for safety and security", and that consumer data was "securely encrypted and stored" in a "bank-level hosting and security environment." It also represented that its security procedures were "PCI compliant." In reality, the security procedures fell well short of industry standards, did not encrypt consumer data, and were not PCI compliant.

Pursuant to the consent order, the company agreed to pay a $100,000 fine, conduct security audits, and to adjust its security practices going forward. Further still, the consent order took the unprecedented step of requiring the company’s board of directors to monitor and bear ultimate responsibility for the company’s compliance going forward.

This consent order is a strong example of the CFPB’s rapidly increasing use of its so-called ‘deception authority.’ The take away is a significant one: a company may end up in the regulatory crosshairs of the CFPB for deceptive practices related to data security even if no data breach actually occurs. In light of this recent development, companies would be well-advised to make sure that any representations they make about their data security practices are precise and entirely accurate going forward.

A full version of the consent order can be accessed at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Bond Schoeneck & King PLLC

Contact + Follow

Michael Billok

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Consent Order

+ Follow

Consumer Financial Protection Bureau (CFPB)

+ Follow

Cybersecurity

+ Follow

Data Breach

+ Follow

Data Privacy

+ Follow

Data Security

+ Follow

Dwolla

+ Follow

Enforcement Actions

+ Follow

Personal Data

+ Follow

Popular

+ Follow

Unfair or Deceptive Trade Practices

+ Follow

Consumer Protection

+ Follow

Finance & Banking

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Bond Schoeneck & King PLLC on:

Cybersecurity and Data Privacy: CFPB Takes Unprecedented Action Against Company (3/16)

Related Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Bond Schoeneck & King PLLC on:

"My best business intelligence, in one easy email…"