Pub. 11 2016-2017 Issue 1

May/June 2016 15 Extraordinary Service for Extraordinary Members. from various agencies to the CFPB. These consumer laws include the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). Congress, however, did not expressly transfer to the CFPB the GLBA data security requirements. While the CFPB is aware of the GLBA and other data security standards, the Consent Order is not based on the GLBA data security standards or a failure by Dwolla to com- ply with such standards. Rather than relying on any direct regulatory authority over Dwolla’s data security practices, the CFPB invoked its general authority to penalize covered entities engaging in any UDAAP. Other implications include: Will this CFPB action trigger more aggressive bank regulator activity in the data security space? Prudential regulators have stepped up their consumer protection activity. The CFPB’s entry into the data security spacemay cause other banking regulators to take a more aggressive enforcement approach, including by using their own UDAAP authority or possibly using safety and soundness grounds. Could the CFPB use “unfairness” theories? Although the Consent Order was based on deception, the CFPB couldmimic the FTC by using “unfairness” theories in future actions in the data security arena. In the past, the FTC has used unfair- ness theories when “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 5 Could the unfairness concept be used if a bank provides in- sufficient data protection but its representations regarding data security are not aggressive (misleading) enough to rise to the level of being deceptive? Use of the “unfairness” theory in targeting data protection deficiencies was allowed in F.T.C. v. Wyndham Worldwide Corp. 6 Takeaways Given the CFPB’s forewarning that more deceptive data security actionsmay be on the horizon, banks should consider several factors from the Consent Order: • Review representations regarding data security, don’t exaggerate. Claims can be made on websites, in promotional material, and orally by bankers in the bank or by call center personnel. Banks should review these statements to ensure they are accurate and supportable especially in light of new product rollouts (e.g., mobile banking). Always make sure your claims match your practices. • Monitor your practices and your claims. Make sure your data security practices are growing, changing, and strengthening in lockstep with your product de- velopment and with security threats. In addition to moderating representations about data security prac- tices, banks should also strengthen such practices to match or exceed the representations made. As noted,  Counselor’s Corner — continued on page 16 The Consent Order should cause all banks 3 to take notice, as an actual data breach may not be required before regulators take action. The Facts According to the Consent Order, Dwolla is an Iowa-based company that operates an online payment system and mo- bile payment network linked to a Dwolla account or a bank account. In order to provide this service, Dwolla collects information from its customers, including name, contact in- formation, date of birth, Social Security number, a password, a unique four-digit PIN, and bank account information. Con- sumers use their Dwolla account to transfer funds to another Dwolla accountholder or a merchant. As of May 2015, Dwolla had approximately 653,000members and had transferred as much as $5 million per day. Between January 2011 and March 2014, Dwolla allegedly made the following representations (among others) to its consumers about the measures it took to ensure the secu- rity of consumers’ data: (1) Dwolla’s data security practices “exceed industry standards,” or “surpass industry security standards”; (2) Dwolla stores information “in a bank-level hosting and security environment”; (3) “100% of your info is encrypted and stored securely”; (4) Dwolla encrypts “all sensitive information that exists on its servers”; (5) Dwolla “encrypt[s] data in transit and at rest”; (6) “Dwolla’s website, mobile applications, connection to financial institutions, back end, and even APIs use the latest encryption and secure con- nections”; and (7) Dwolla is “PCI compliant.” 4 Using its UDAAP authority, the CFPB concluded that these statements constituted deceptive acts or practices in violation of the CFPA. According to the CFPB, these statements were false or misleading because (among other things) Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access” and its data security practices “did not ‘surpass’ or ‘exceed’ industry standards.” Implications Even though Dwolla is not a bank, the Consent Order is noteworthy for a number of reasons. First and foremost for banks is the fact that the CFPBmakes clear that it believes its UDAAP authority extends to marketing of data security. Un- der Dodd-Frank, rule writing, supervision, and enforcement of certain federal consumer financial laws were transferred The CFPB’s entry into the data security space may cause other banking regulators to take a more aggressive enforcement approach.