_____________________________
Guest post by Erica A.N. Kramer and Justin B. Hosie*
________________________________
It’s hard to imagine that the Consumer Financial Protection Bureau (CFPB), which is not tasked with enforcing information-safeguarding (Congress left that with the FTC), would impose civil fines on a company for safeguarding representations, when the company in question didn’t have a data breach.
It’s even harder to imagine such an action when the very same agency announced a policy to encourage consumer-friendly financial innovations just a few weeks before imposing the fines. However, we now live in an age when the CFPB seeks to encourage financial innovation one day and stifle it in the next, even when no consumer harm appears to exist.
What happened
Earlier this month, the CFPB announced a consent order in its “first data-security action.” The announcement sends a clear message that the CFPB now has its sights on data-security practices. This enforcement action clearly shows that the CFPB is once again stretching its authority by simply labeling a representation as deceptive and blurring the lines between federal agencies’ jurisdictions. Consequently, we’re likely to see a significant increase of regulatory scrutiny in the data-security arena in the upcoming months.
The action targeted Dwolla, a Finovate alum operating a digital payment network that allows members to send and receive money. It has more than 650,000 members and transfers as much as $5 million per day. The CFPB alleged that Dwolla misrepresented its data-security practices by describing its network as “safe” and “secure” and its data-security practices as exceeding industry standards. While there appears to have been no consumer harm whatsoever, according to the CFPB’s unilateral assertions, Dwolla’s data-security practices did not live up to its claims and the representations constituted deceptive acts and practices. As a result, the CFPB imposed restrictions on Dwolla’s future conduct and ordered Dwolla to pay $100,000 into the CFPB Civil Penalty Fund.
Implications
Imposing civil penalties on innovative companies like Dwolla seems particularly heavy-handed when you consider the lack of evidence of consumer harm. Despite the extremely high volume of money and personal information moving through its network, Dwolla never experienced a data breach or received a consumer complaint regarding its data-security policies.
As Dwolla explained in its blog on March 2, “Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities.” Dwolla also explained that it is continually learning, growing, and adjusting its data-security practices to ensure members are provided with the security they expect. Unfortunately, the CFPB’s order demonstrates little tolerance for the growing pains and adjustments often accompanied by developing new technologies.
Recommendations
Given the CFPB’s none-too-subtle foreshadowing that more data-security-enforcement actions are on the horizon, we urge Fintech companies to consider several important factors:
- Understate, don’t exaggerate: The CFPB has little tolerance for puffery when it comes to data security. Make sure your claims match your practices.
- Act, don’t react: Address potential data-security vulnerabilities as soon as they come to your attention. Don’t wait for a problem to arise.
- Evolve your practices and your claims: Make sure that your data-security practices are growing and changing in lockstep with your product’s development.
- Follow the rules: Make compliance your top priority. Institute and follow a robust compliance management system that includes regular oversight and input by your company’s management and board.
Since there’s no way to avoid regulatory scrutiny, make sure your data-security practices are above reproach before the CFPB set its sights on your company.
——————-
*Justin B. Hosie is a partner at Hudson Cook LLP, licensed to practice law in Florida and Tennessee. Erica A.N. Kramer is an associate at Hudson Cook LLP, licensed to practice law in Florida. You can contact Justin for more information at 423-490-7560 or jhosie@hudco.com.