New Sheriff in Town?
In early March, the Consumer Financial Protection Bureau (CFPB) took action against Dwolla, an online payment platform provider in Des Moines, Iowa, for deceiving consumers about its data security practices and system safety.
For the first time ever, the CFPB, which is authorized under the Dodd-Frank Wall Street Reform and Consumer Protection Act, levied a fine related to protecting consumer data security.
The fine was not earth-shattering, at $100,000. But the action signaled the CFPB’s arrival as a new sheriff in town for protecting consumer data against companies engaged in “unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws,” according to the CFPB.
“This way, if you follow the guidelines you can stay off the CFPB’s radar and out of trouble.” — Colin Hite, practice leader, data privacy and security practice, Hirschler Fleischer
The agency also ordered Dwolla to fix its security practices.
Legal and data security experts say the CFPB’s action further strengthens the need for both strong data security safeguards and for cyber insurance coverage, especially if you are going to handle consumers’ personal data.
“The thing that stands out is this is one more enforcer stepping up to the plate when it comes to cyber risk,” said Mark Greisinger, president at NetDiligence, a cyber risk assessment service that works with insurers that offer cyber coverage.
“They have teeth to enforce the law, but how they are doing it is under unfair and deceptive trade practices,” he said.
“What’s interesting is not only are they a new enforcer, but the CFPB went after Dwolla proactively, before a breach even occurred.”
Richmond, Va.-based Collin J. Hite, practice leader at Hirschler Fleischer’s data privacy and security practice, said it was interesting that the CFPB’s consent order puts the responsibility squarely on Dwolla’s board of directors.
And, he noted, the $100,000 civil fine cannot be paid by cyber insurance, so the CFPB is essentially saying “we will hit you right in the pocketbook when we fine you.”
“It’s gotten people to pay attention,” he said. “This way, if you follow the guidelines you can stay off the CFPB’s radar and out of trouble.”
Sending a Signal
He added that federal agencies assessing fines that are not covered by insurance has been done in the past relating to D&O coverage, but this is the first time he has seen it in the cyber arena.
“The CFPB is clearly sending a signal to the entire marketplace that if the businesses are not going to implement and adhere to best practices, the government will step in and set the standards,” Hite said.
In this case, he said, Dwolla got off relatively lightly and may have benefited from the situation because it forced them to get ahead of the curve. If the enforcement action had come after a data breach, it would have been more expensive, as the cost of post-breach processes, such as credit monitoring can be high.
In fact, the silver lining in the legal action taken against Dwolla is that the CFPB recommendations can — and should — be used as a roadmap for all companies.
Many of the necessary steps laid out by the CFPB in its decision are best practices for data security, he said. Companies that are not doing these kinds of security procedures would have a very hard time obtaining cyber insurance in the first place.
Jennifer Coughlin, a partner in Lewis Brisbois Bisgaard & Smith’s Philadelphia office, said the CFPB’s action in Dwolla is in line with the trends her firm has seen over the past decade or so: Regulators are using long-held enforcement power to investigate and seek penalties for violations of consumer protection and data security laws.
Such investigations can result in agreements by the entity to not only pay a fine, but also be under the thumb of the regulator for several years after the agreement is reached, she said.
Her firm expects that trend will continue, and that there will be an increase in the list of regulators launching inquiries and pursing actions.
“We also predict that these investigations will become more and more aggressive,” she said.
Coughlin said that any business engaging in offering or providing a consumer financial product or service is subject not only to the CFPB, but to other state and federal laws regulating data privacy and security.
She agreed that the Dwolla scenario offered a roadmap for companies regarding protection of consumer data.
Several best practices to follow include ensuring accuracy of external and internal privacy policies, and an organization’s compliance with these representations; maintaining appropriate cyber and other insurance coverage, because a cyber event can spawn E&O and D&O claims, in addition to regulator inquiry and fines and litigation; and closely reviewing all contracts with vendors to ensure appropriate notification and indemnification language is contained those contracts.
“Companies need to understand what is legally required of them and ensure they practice what they preach,” she said. “Preparedness is key.”