Another federal agency has entered the arena for regulating e-commerce companies regarding the protection of consumer data.
The federalConsumer Financial Protection Bureau has closed its first and so far only privacy case with a consent agreement between itself and an online payments processor. The case has raised questions about the legal approach the CFPB took, as well as whether it will become a major player in privacy regulation.
The CFPB charged thatDwolla falsely claimed that its data security practices exceeded or surpassed industry security standards, and also misled consumers that its information was encrypted and stored securely.
The company collected and stored the personal information of consumers and provided a platform for financial transactions, the bureau said. The case covered aspects of the company’s operations between 2011 and 2014.
As of May 2015, the company had more than 650,000 users and had transferred as much as US$5 million per day. For each account, the company obtained consumer names, addresses, dates of birth, Social Security numbers, phone numbers, bank account information, a password and a four-digit PIN.
Stronger Privacy Measures
The bureau contended that Dwolla failed to implement proper antiphishing measures, adopt proper encryption techniques or observe secure software development. As a result, the CFPB cited the company for misleading its customers by falsely representing that it was using reasonable privacy protection protocols.
Dwolla neither admitted nor denied the allegations. However, the company agreed to pay $100,000 to settle the complaint and to abide by CFPB requirements to improve its consumer privacy protection practices. The consent order expires after five years.
“Dwolla is glad to have come to a resolution with the CFPB regarding its investigation,” the company said in a statement provided to the E-Commerce Times by spokesperson Jordan Lampe.
“The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012. Dwolla understands the bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards,” the company said.
“The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices,” it said.
CFPB Acts Even Without a Breach
The CFPB acted on the basis of alleged misrepresentation, while no actual or potential harm occurred in the Dwolla case.
“Whether the CFPB believes that immediate, intense data security measures are the best remedy for alleged data security violations remains to be seen. But what is clear is that this relatively new agency believes it need not wait for a data security incident to occur before bringing an enforcement action against a company within its jurisdiction — even a startup — that it believes is making deceptive, material representations about its data security practices,” said Heather Sussman, a partner atRopes & Gray.
The case should serve as a reminder that data security measures and employee training must be tested and evaluated periodically, according toSquire Patton Boggs. Companies under the bureau’s jurisdiction should pay attention to the broad implications of the Dwolla order.
CFPB’s Legal Approaches for E-Commerce
Other significant e-commerce and privacy protection aspects of the case include the following:Scope of CFPB regulation: The consent agreement was an indication of how the CFPB views its role in the privacy area.
“The bureau is authorized by the Dodd-Frank Act to take action to prevent covered persons or service providers from committing unfair, deceptive, or abusive acts or practices in connection with the offering or provision of consumer financial products or services, including any unfair, deceptive or abusive practices related to data security,” the bureau said in a statement provided to the E-Commerce Times by spokesperson David Mayorga.
Regarding privacy and data security, the CFPB said it is authorized to take action under various statutes, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Fair Debt Collection Practices Act.
Accountability: The remedial measures imposed on Dwolla appear to be more stringent than those imposed by other agencies such as the Federal Trade Commission.
For example, Dwolla’s board of directors is specifically charged with meeting CFPB requirements; risk assessments must be conducted twice a year; the company must undergo an independent security audit annually; and employees must receive regular, mandatory training. Further, the company must refrain from misrepresenting its security capabilities to consumers.
Consumer Group Supports CFPB
“The CFPB not only has the authority to act but also has the obligation to do so to make sure that the entities under its jurisdiction provide proper security for consumers and don’t misrepresent themselves regarding the protection of consumer information,” said Susan Grant, director of consumer protection and privacy at theConsumer Federation of America.
“While there was no actual breach involved in this case, it is still important for agencies to move proactively to protect consumers and not just initiate enforcement after some harm has occurred. So the CFPB was proper to take the action it did in this case,” she told the E-Commerce Times.
“Even though other federal agencies also have jurisdiction in this area, these agencies do work together, so I see the entry of CFPB into the privacy area as complementary to other federal agency action. The CFPB was sending a clear message that it intends to pursue these issues,” Grant added.
“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” CFPB Director Richard Cordray said.
“With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing,” he said. “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”