Pub. 11 2016-2017 Issue 1

www.nebankers.org 14 Extraordinary Service for Extraordinary Members. COUNSELOR’S CORNER Cybersecurity The Danger of Using Data Security as a Marketing Opportunity Jeff Makovicka, Kutak Rock LLP A S CONSUMERS CONT I NUE T O migrate online, cybersecurity is a main concern. Because of this, banks look to assure customers that their data is safe—but beware, regula- tors have little tolerance for puffery when it comes to data security. Make sure your claims match your practices. Enter, Dwolla. In March of this year, the Consumer Financial Protection Bu- reau (CFPB) treaded new territory by releasing a consent order against Dwolla Inc., an Iowa-based digital payment platform, regarding data security. 1 In the Consent Order, the CFPB alleged that Dwolla misrepresented how it was protecting consumers’ data. According to the CFPB, Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” while tell- ing consumers that the information was “securely encrypted and stored.” Under the terms of the Consent Order, Dwolla is required to, among other things: (1) stop misrepresenting its data security practices, (2) train employees and im- prove data security practices, and (3) pay a $100,000 civil penalty. Notably, there was no allegation of a data breach or data leak or that any consumer was harmed (beyond purchasing the service in reliance on the representations). Although the data security message sent by the CFPB is not novel (e.g., com- panies have always been required to keep their data security promises), the Consent Order is noteworthy because it represents the CFPB’s first consent order in the data security area. The order clearly indicates the CFPB’s view that the Consumer Finan- cial Protection Act (CFPA) 2 provides it the authority to regulate certain data security marketing practices, utilizing its unfair, deceptive, or abusive acts or practices (UDAAP) authority. Since its inception, the CFPB has made significant use of its UDAAP authority in the CFPA. Borrowed from the Federal Trade Commission (FTC) statute, but amplified to include “abusive” acts and practices in addition to “unfair” and “deceptive” ones, 12 U.S.C. § 5531 grants the CFPB a broad and powerful weapon in its enforcement cases.