Dwolla, Inc., to pay $100K for misrepresenting data security
The Consumer Financial Protection Bureau took action on March 2, 2016, against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system. The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices.
The Bureau stated that, from December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure. But rather than setting “a new precedent for the payments industry” as asserted, Dwolla’s data security practices in fact fell far short of its claims. Such deception about security and security practices is illegal. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:
- Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
- Falsely claiming its “information is securely encrypted and stored”: Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.
The CFPB issued an enforcement order under which Dwolla is required to:
- Stop misrepresenting its data security practices
- Train employees properly and fix security flaws
- Pay a $100,000 civil money penalty