Dwolla, a non-bank payment processor, settled charges with the CFPB this week. The Consent Order provides some insight into the expectations that the CFPB has for protecting consumer information.
Kind of like getting Al Capone for tax evasion, the CFPB hit Dwolla for misrepresenting their security practices – what they call deceptive acts and practices. They didn’t specifically say that any particular mechanism is bad, but rather that you are not doing what you told people you are doing.
Dwolla is a small player as financial institutions go, moving, according to the order, around $5,000,000 a day through pooled accounts that they control in a credit union and a bank. That would indicate that the CFPB is not only going after big players.
Information that they collect, in addition to financial transaction information, includes name, address, social, date of birth, phone number, and bank account information. They have around 600,000 members.
The CFPB says that between 2011 and 2014, Dwolla represented or caused to represented, expressly or by implication, that they used reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
Let’s dissect that a bit – that means that if you dance around the protection word and imply but don’t say what you are doing, they are going to operate as if you expressly stated something. That would include if your business partners say things on your behalf.
Dwolla said, according to the CFPB, that it’s network and transactions were safe and secure. That’s a pretty vague claim.
On their web site, the order continues, it says that Dwolla’s claimed that it’s data security practices “exceed industry standards”, that they store information “in a bank-level hosting and security environment” and encrypts data “utilizing the same standards required by the federal government.”
While I might look at that and say that it is marketing garbage, the CFPB takes that literally.
Dwolla also said, apparently, that they encrypt all sensitive data in transit and at rest and that they were PCI compliant.
The CFPB, on the other hand, said Dwolla failed to employ reasonable and appropriate measures to protect data and their data security practices did not surpass or exceed industry standards. The CFPB also said that they did not encrypt all sensitive data.
Note that the CFPB did not say that Dwolla had to employ reasonable and appropriate measures, had to exceed industry standards or had to encrypt all data. They just said that Dwolla should not lie about what they were doing.
The CFPB said that, for different time periods, Dwolla:
- Did not adopt reasonable and appropriate data security policies and procedures
- Did not have a written data security plan covering the data that they collected and stored
- Did not conduct adequate and reqular risk assessments.
- Did not give their employees reasonable data security training
- Did not hold mandatory employee data security training
- Did not conduct third party penetration tests. During their first test, they sent out a phishing email test and nearly half of the employees opened the email, 62% who opened the email clicked on the link and 25% of those who clicked on the link registered at the site with a username and password.
- Dwolla failed to address the results of this test
- Transmitted sensitive information unencrypted (while it doesn’t give specifics, using normal email would fail this test).
- Encouraged customers to submit sensitive information via email
- Operated a development environment with no data security training
- Failed to test the security of apps protecting consumer information
It is reasonable to infer that the CFPB would consider the opposite of each of these actions to be “the right answer”.
In the consent order, Dwolla must:
- Establish, implement and maintain a comprehensive data security plan
- Adopt and implement reasonable and appropriate data security policies and procedures
- Designate a qualified person to be accountable for the data security program
- Conduct data security risk assessments twice a year
- Evaluate and adjust the data security program in light of the results
- Conduct regular, mandatory employee security training
- Develop, update and implement security patches
- Develop, implement and maintain an appropriate method of customer identity authentication at registration time.
- Develop, implement and maintain reasonable procedure for third party risk (service providers).
- Obtain an annual data security audit from an independent, qualified, third party, using generally accepted professional procedures and standards.
My interpretation of the consent order, and I don’t even play a lawyer in the blogosphere, is that these 10 items are on the “You should do” list.
In addition, there is a laundry list of other things that they have to do like conduct a third part audit within 30 days and within 180 days, have the auditor report to the board on the results of the audit.
Finally, the were ordered to pay a $100,000 fine, which seems like a bargain.
For those organizations that are under the auspices of the CFPB, I would suggest looking at the bulletted list of DON’T do’s and the numbered list of TO DOs and seeing which ones on each list that you are on the right side of.
Not a regulation, but it could help keep you out of the dog house.
Information from this post came from the CFPB Consent Decree here.