Editor’s Note: Cross-posted from Regulatory Cyber Security/FISMA Focus
From: Norton Rose Fulbright
On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) released a Consent Order entered between it and Dwolla, a company providing an online money transfer and payment processing platform to consumers. The Consent Order alleges that Dwolla made false representations concerning its data security practices and engaged in deceptive acts and practices in connection with the offering of consumer financial products or services, in violation of the Consumer Financial Protection Act of 2010 (“CFPA”) sections 12 U.S.C. 5531(a) and 5536(a)(1).
This is the CFPB’s first foray into the data security and privacy enforcement space and could foreshadow additional similar enforcement activity. Interestingly, it appears that this investigation and Consent Order was not triggered by a security breach suffered by Dwolla. Although the CFPB’s approach and enforcement rationale is reminiscent of similar actions taken by the FTC, the Consent Order is the first of its kind and has its own quirks. In this post we take a deeper look at the CFPB’s action and the Dwolla Consent Order.