Day: March 3, 2016

The Consumer Financial Protection Bureau (“CFPB”) filed an interesting consent order in re: Dwolla, Inc. concerning their cyber security practices. 1)See “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, available at http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.)) The order begins with CFPB identifying that it found, “deceptive acts and practices relating to false representations regarding [Dwolla’s] data-security practices”. 3)In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf. As I’ve covered in other blog posts regarding the FTC enforcement actions, the deceptive argument is not new, and other agencies are expanding their enforcement actions even where there is no deception or misrepresentation. ((Compare FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1 (asserting claims under both the deceptive and unfairness prongs of its authority). The interesting part with this CFBP consent order is the continuing expansion of regulators taking companies to task for bad cyber-security practices, and that vague claims that might otherwise be considered puffery are being interpreted as a misrepresentation (at least at the agency level).

The CFPB findings can be grouped into two broad categories: discrete specific failures, and more generally vague descriptions of its services. The specific failures are obviously bad and deceptive practices. For example, Dwolla claimed a certain set of information it collected was stored encrypted, but it did not in fact, encrypt all of that information. It also claimed to be PCI compliant, but was not in fact PCI compliant. Those are not controversial for deceptive practices.

The more generalized description of some services as “safe” or “secure”, or describing security practices as surpassing or leading industry standards becomes more dicey. What does it mean to be secure? What constitutes “safe”? The problem with cyber-security is that safe and secure is a relative term that must be judged on an ever changing basis. 100% safety and security is simply not possible. In sales terms, these might be asserted as “puffery”, but regulators are not taking them that way. The CFPB also took Dwolla to task for not “implement[ing] data-security policies and procedures reasonable and appropriate for the organization”. 2)In re: Dwolla at 7.

Many of the specific failures (such as not maintaining a written data-security plan) are becoming more important as regulators are forcing companies to defend their practices after security incidents or data breaches. The defensibility requires documentation to really be persuasive that such incidents were not because of bad practices. Like in Dwolla, criticisms for not conducting ongoing risk assessments, penetration testing, and employee training are becoming common in regulatory actions. There is one certainty – rigorous data security practices are not a luxury, and treating them as optional or an afterthought creates significant exposure.

References   [ + ]

1.See “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, available at http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.)) The order begins with CFPB identifying that it found, “deceptive acts and practices relating to false representations regarding [Dwolla’s] data-security practices”. ((In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.
2.In re: Dwolla at 7.
3.In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf. As I’ve covered in other blog posts regarding the FTC enforcement actions, the deceptive argument is not new, and other agencies are expanding their enforcement actions even where there is no deception or misrepresentation. ((Compare FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1 (asserting claims under both the deceptive and unfairness prongs of its authority).