Dwolla, Inc.: No data security breach, expanded CFPB reach

Iowa Banking Law Iowa Cybersecurity Law Dickinson Law Des Moines Iowa

Posted on 03/11/2016 at 12:00 AM by The Newsroom

Late last week, the Consumer Financial Protection Bureau (“CFPB”) issued an enforcement action against the Iowa-based payments processor, Dwolla, Inc. In the Order, available here, the CFPB alleged that Dwolla misrepresented its data security and the safety of its online payment system to its customers. The CFPB assessed a penalty of $100,000 and ordered Dwolla to fix its data security practices. More information from the CFPB and from Dwolla is available here and here.

There are three reasons this Order from the CFPB is significant:

  1. A data breach did not occur, but rather the CFPB asserted that Dwolla overstated its actions to protect consumer information. This signals a shift by the CFPB from defensive to offensive. Also significant is the size of the company targeted. The CFPB’s focus on a middle-sized, start-up company following a consumer complaint suggests that no business is immune from CFPB scrutiny and routine exams by regulators are not the only means for uncovering potential violations.

  2. This is the first data security-related fine by the CFPB. The Order highlights alleged violations that were not “reasonable and appropriate” data security measures. No written CFPB guidance, regulations, or even prior enforcement actions are cited. Instead it refers to “industry standards” and to the PCI Security Standards Council. The fact that these security standards are fluid implies that the burden to stay abreast of changing industry practices falls squarely on businesses going forward.

  3. The Order provides some direction to other business organizations. The following issues were highlighted by the CFPB as mandatory security measures Dwolla must take to protect consumers’ personal information:

    • A Written Data Security Policy and Procedures

    • Regular Risk Assessments

    • Employee Training on Data security

    • Encryption of Data

    • Vendor Training and Testing Software for Vendor Security

In the future, an organization’s failure to maintain these baseline practices could be viewed by the CFPB as a data security violation.

This blog previously covered the liability that organizations can face for failing to adhere to privacy policies. The CFPB’s assertive action in the Dwolla case should be another warning to organizations about understanding the commitments organizations make in their privacy policy.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.