In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up. Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors. This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments. These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.
Established in 2010 by the Dodd-Frank Act, the CFPB supervises banks, credit unions, and other financial companies, and enforces federal consumer financial rules focused on, among other things, preventing unfair, deceptive, or abusive acts or practices in the provision of financial products and services. Dwolla operated a payment network that allowed individuals to transfer funds to other individuals or to businesses using an online platform and a suite of mobile applications. Dwolla, therefore, collected sensitive consumer information, including name, address, date of birth, phone number, Social Security Number, and often personal bank account information.
Similar to a number of recent FTC enforcement actions we have reported on, the CFPB highlighted several allegedly false and misleading statements Dwolla made about its data security practices, including that:
The CFPB also emphasized that Dwolla failed to adopt and implement reasonable data security policies and procedures (or even comply with ones that it had adopted), failed to conduct periodic security risk assessments, did not adequately train employees, and failed to ensure that the software and applications it developed were secure. No cybersecurity incident, data breach, or other specific consumer harm appears to have been at issue in prompting the CFPB’s investigation or the consent order.
The CFPB’s five-year consent order is significant for a number of reasons, as it provides insight into what the CFPB deems to constitute a “reasonable” cybersecurity program, and the remedial efforts that will be required should companies face scrutiny from CFPB. Notably, the consent order requires that Dwolla:
Many of these requirements are not surprising, and appear as recurring features in most cybersecurity consent decrees recently issued by the FTC, FCC, and HHS-OCR, as examples.
However, two of the provisions stand out, and suggest uniquely higher standards of care than are generally found in common standards, guidelines, and frameworks. First, the order imposes a specific requirement regarding the frequency of risk assessments: twice per year. Because of the cost, resources, time, and disruption associated with a comprehensive (versus targeted) risk assessment, the prevailing industry standard practice is to conduct assessments on an annual basis. Second, the order requires that the Board of Directors review all plans, reports, and policies and procedures required under the order. This granular involvement in the execution of the company’s security program will require the Board of Directors to have cybersecurity expertise (or obtain it through an expert), and potentially imposes on the Board of Directors obligations that extend beyond traditional risk oversight obligations of good faith and due care.
Finally, the consent order makes clear that the CFPB obtained a copy of a penetration test that Dwolla conducted in 2012, and used Dwolla’s failure to implement a remediation program to address issues identified in that assessment as evidence against Dwolla. As we reported previously, it is standard practice for regulators and plaintiffs to demand copies of cybersecurity assessments and tests in connection with investigations and litigation to show that a company knew of vulnerabilities and did not address them. Companies should therefore be thoughtful in deciding whether and how to engage consultants. If they choose to engage through legal counsel, where assessments are conducted by and at the direction of counsel for the purposes of identifying legal risks and mitigation strategies, the communications and work product may be subject to attorney-client privilege and work product protections. While companies may ultimately decide to disclose facts relating to their investigations, maintaining privilege over internal deliberative and decision-making processes remains valuable, particularly considering the specter of private litigation.
Entities regulated by the CFPB should carefully and regularly review public-facing statements (e.g., statements made in privacy policies) regarding cybersecurity, and evaluate the accuracy of such statements against current practices and procedures. Moreover, companies should consider bi-annual cybersecurity risk assessments—conducted at the direction of counsel—and annual audits of policies and procedures to identify any control weaknesses or required remediation items. Similarly, enhancing communication flows between management and the Board on specific cybersecurity issues, programs, and progress, is highly prudent given the increased attention and scrutiny being placed on directors.
 The Payment Card Industry is a self-regulatory body formed to enhance payment card security. The Data Security Standards are security guidelines by which Payment Card Industry members must abide.