Dwolla, Inc., a company that claims secure, ready-to-use payment tools used to simplify how people send or receive money from anyone in the U.S., has been hit with a $100,000 penalty and an annual data-security audit compliance plan. Dwolla, based in Des Moines, Iowa, has collected and stored sensitive personal information from consumers since 2009, such as address, date of birth, telephone number and Social Security number. In addition, consumers provide their bank account and routing number to link their bank accounts to their Dwolla account. Dwolla has approximately 653,000 members and transfers as much as $5,000 per day.
Earlier this month the Consumer Financial Protection Bureau (CFPB) took action against the company, finding that from January 2011 to March 2014 Dwolla had misrepresented to consumers that it employed reasonable and appropriate measures to protect data, and despite its claims that its security practices exceeded industry standards, they did not. In fact, the CFPB found Dwolla had failed to encrypt sensitive consumer information and that its transactions, servers, and data centers were not PCI compliant, contrary to its claims. The CFPB summarized the failures as follows:
- Failure to adopt and implement data-security policies and procedures appropriate for the organization;
- Failure to use measures to identify foreseeable security risks;
- Failure to ensure proper training for employees who have access to or handle consumer information;
- Failure to use encryption technologies; and
- Failure to practice secure software development, particularly with respect to consumer facing applications.
Of note, in 2012 Dwolla hired a third party auditor to perform a penetration test. The test involved sending a phishing email to employees that contained a suspicious URL link. The results showed that nearly half of employees opened the email, and of those, 62% of them clicked on the URL link. Of those that clicked on the link, 25% of employees attempted to register on the phishing site and provided a username and password.
Despite these results, Dwolla did not address the results of this test or educate its personnel about the dangers of phishing. In fact, as the CFPB pointed out, Dwolla did not conduct its first mandatory employee data-security training until mid-2014.
What is the result? The CFPB’s first data security action. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB can take action against Dwolla for engaging in unfair, deceptive or abusive acts or practices. The terms of the order against Dwolla require it to:
- Stop misrepresenting its data security practices and enact comprehensive data security measures (e.g., a program of risk assessments and audits);
- Train employees on the company’s data security policies as well as on how to protect consumers’ sensitive personal information;
- Fix security flaws found in its web and mobile applications and securely store and transmit data;
- Conduct an annual data-security audit of its data-security practices, followed by a written report;
- Develop a compliance plan that will then be submitted to the enforcement director and approved by Dwolla’s Board of Directors; and
- Pay a $100,000 civil penalty to CFPB.
This should be a lesson to companies that data security practices are not only necessary, but the failure to ensure they are properly in place - and effective - can mean serious repercussions. For assistance in developing data security practices and training programs, as well as proactive breach response plans, please contact the author of this post or a member of the Polsinelli Privacy and Data Security team.