The moral of this story:

If you say you are going to do something, you better well do it!”

Such wasn’t the case for online payment platform Dwolla, which was just fined $100,000 by the Consumer Financial Protection Bureau (CFPB) for deceiving consumers about its data security practices and the safety of its online payment system.

According to CFPB Director Richard Cordray, “Consumers entrust digital payment companies with significant amounts of sensitive personal information. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

Things got ugly

Since December 2009, Dwolla, Inc., which operates an online payment system, has collected and stored consumers’ sensitive personal information and provided a platform for financial transactions. By May 2015, Dwolla had more than 650,000 users and was transferring as much as $5 million per day. For each account, Dwolla collected such personal information as the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

From December 2010 until 2014, Dwolla claimed it was protecting consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. It also claimed it encrypted all sensitive personal information and that its mobile applications were safe and secure.

If only that were true…

Rather than setting “a new precedent for the payments industry” as asserted, Dwolla’s data security practices fell far short of its claims. Not only did Dwolla lie, its deceptive practices were illegal. Among a host of other issues, the CFPB specifically identified the following data-security practice misrepresentations:

• False claims that its data security practices “exceed” or “surpass” industry security standards. Not true. Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access; and
• False claims that its “information is securely encrypted and stored.” Again untrue. Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.

So, the CFPB gets to execute its first data security action against Dwolla

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws. The Dwolla action represents the Bureau’s first data security action. It’s only a matter of time until there are others.

Under the terms of this first order, Dwolla must:

• Stop misrepresenting its data security practices and enact comprehensive data security measures and policies, including a program of risk assessments and audits;
• Train employees properly to protect consumers’ sensitive personal information and fix security weaknesses in its web and mobile applications, and then securely store and transmit consumer data; and
• Pay a $100,000 penalty to the CFPB’s Civil Penalty Fund.

Don’t do what Dwolla did

Keep your data safe and your teams compliant. Dwolla could’ve done that from the beginning…but for reasons only Dwolla management knows, it did not.

Shortsighted indeed. Especially when there are tools like  Patrina’s Records Management platform and Patrina’s Integrated Compliance Suite to help businesses manage the every growing tidal wave of unstructured data and diverse content types flowing in and out of the enterprise.

Be safe. Be secure. Be compliant.

Really! No one is immune from the regulators. No one. And compliance requirements continue to be more all-consuming. Don’t be that company. Let’s talk. Ask about Patrina’s comprehensive compliance solutions specifically designed for the financial services community.

Let’s talk (212- 233-1155).