Consumer Financial Protection Bureau Branches Out to Data Security Enforcement

When you stop to think about it, the Consumer Financial Protection Bureau (CFPB) has done quite a bit over the course of the last five years. This government watchdog group has managed to put pressure on big banks, bring up successful lawsuits against shady collections agencies and do other things to support their mission of “protecting” American consumers. Don’t let what we’ve told you so far make it seem like all of what the CFPB has accomplished has been positive. Not by a longshot. In fact, some would argue that the CFPB may have done more harm than good. Be that as it may, it is certain that the CFPB is going to continue to do all it can to stay relevant and to justify its existence.

Many financial experts are troubled by the fact that the CFPB seems to overstep its boundaries every now and then. For example, the CFPB has branched out recently to get involved with data security enforcement. These types of issues are usually handled by the FTC, but that hasn’t stopped the CFPB from getting involved. The bureau recently managed to get a consent order against a company called Dwolla Inc. This company is an online payment company, and as part of the suit the company has agreed to pay $100,000, and to stop misrepresenting its data security actions. This online payment operation must also train its employees on better practices and improve the security of customer data. The CFPB is even forcing Dwolla to hire independent experts to audit their data security practices for the next five years, assess security risks twice a year and develop a new information security program.

All of this is a bit unusual, as the CFPB usually focuses its energy on actual consumer harm. But even though this has been their primary focus, there is not yet any readily available evidence that consumers were actually harmed by Dwolla. No consumers actually filed complaints with Dwolla or the CFPB. There was not an actual data breach either. The CFPB was able to utilize preemptive enforcement by using its authority to keep an eye on deceptive practices and acts. All of this is allowable under the Dodd-Frank legislation. This legislation was enacted to take action against abusive/deceptive practices. In essence, this means that any conduct that could be construed as misleading or that is likely to mislead consumers is fair game for the CFPB.

In the Dwolla case, the company wrote on its website and on other communication mediums that its data security practices were stronger than industry standards, and that data was stored as fully encrypted for storage and electronic transmission. The CFPB stated that these claims were more than likely to change the choices that consumers made about whether or not to give their business to Dwolla. The CFPB indicated that the company did not actually live up to these claims due to failing to implement the kind of data security procedures that are intended for the financial industry. The CFPB also stated that Dwolla did not conduct risk assessments, train its employees properly or use the right kind of encryption technology to keep consumer data safe and secure.

This case should be alarming to anyone that is concerned about government agencies overstepping their boundaries. Because the CFPB has a nearly boundless budget and doesn’t have to deal with much oversight from elected officials, it is an organization that has the ability to wreak a lot of havoc. Now that they have stepped into the world of data security enforcement, who knows what they’ll manage to get into next?


Leave a Reply