Reasonableness, Liability Without Breach, and More: Red Flags Raised by the CFPB’s First Data Security Action
On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) settled its first data security enforcement action against online payment processing company Dwolla, Inc. (the Company). In so doing, the CFPB has asserted itself as the new cop on the beat regulating data security, signaled its views on what constitutes “reasonable and appropriate” data security practices, and put firms on notice that a data breach is not a prerequisite to enforcement by the CFPB.
Summary of the Settlement Order
The CFPB’s consent order with the Company (the Order) rests on a deception theory brought under Title X of the Dodd-Frank and Wall Street Reform and Consumer Protection Act (Title X). In the Order, the CFPB asserts that the Company made multiple misrepresentations to consumers that it employed reasonable and appropriate measures to protect consumer data, including that its network and transactions were “safe” and “secure” and that its data security practices “exceed industry standards”—namely, the Payment Card Industry Data Security Standards (PCI DSS) applicable to entities involved in payment card processing. The CFPB also asserts that, for a significant period of time since its inception, the Company was out-of-step with industry standards by failing to: (1) adopt policies and procedures for the collection, storage, and transmission of the sensitive personal information of consumers; (2) properly train employees; and (3) regularly test its software and systems and remediate certain security problems that the Company did identify. Notably, much of the Company’s conduct at issue occurred years before the commencement of the CFPB’s enforcement action—for example, the Company adopted data security policies and procedures in 2012 and began mandatory employee training in mid-2014.
Significantly, the CFPB did not allege any specific consumer harm caused by the Company’s practices, and the Order does not require restitution. However, under the Order, the Company is required to pay US$100,000 in civil money penalties and is enjoined from making misrepresentations to consumers about the security of its payment processing systems and data security practices. The Order also requires the Company to address perceived weaknesses in its data security policies and procedures, including by adopting a mandatory, comprehensive employee training program and conducting semi-annual data security risk assessments. Moreover, the Company’s Board of Directors is instructed to improve its oversight of the Company’s compliance program, including by monitoring a data security audit that the Company must undergo to validate the effectiveness of the remedial measures required under the Order.
The Role of Reasonableness in Enforcing Unfair, Deceptive, or Abusive Acts and Practices
This is the first instance of a CFPB enforcement action focused exclusively on the security of consumer data maintained by a company covered under Title X. The action makes clear that the CFPB believes the scope of its Unfair, Deceptive, and Abusive Acts and Practices (UDAAP) authority extends to policing data security practices. In announcing the settlement, the CFPB acknowledged the novelty of its action, crediting it as “build[ing] off advances made by several other agencies.” While the CFPB’s announcement does not specifically identify the “other agencies” referenced, the Federal Trade Commission (FTC) has brought several actions focused on the data security practices of commercial firms through its Unfair and Deceptive Acts and Practices (UDAP) authority under Section 5 of the Federal Trade Commission Act.1
The CFPB’s and FTC’s UDAAP/UDAP powers are potent and flexible enforcement tools, but they do not provide precise standards tailored to particular industry practices. The CFPB based its Order on a deception theory, relying on a number of specific representations the Company made about its data security practices (for example, “100% of your info[rmation] is encrypted and stored securely”). Yet importantly, the CFPB also pointed to the Company’s statement that it employs “reasonable and appropriate measures” to protect consumer data. The CFPB alleged that, in fact, the Company failed to employ “reasonable and appropriate” data security practices because it did not, for example, comply with the PCI DSS, implement a written data security plan, conduct regular risk assessments, or provide data security training to employees. The CFPB’s decision to inject the concept of “reasonable and appropriate” data security practices into its deception claim is purposeful and important. By identifying this statement in particular as a misrepresentation, the CFPB has begun to stake out its views on what constitutes appropriate data security practices for the companies it regulates.
Separately, the Order’s citation to the PCI DSS, and other recent actions by the FTC, suggest that relevant industry standards may be used to help the agencies’ evaluate the reasonableness of a firm’s data security practices, irrespective of the firm’s representations about those practices. For instance, in an order issued on March 7, 2016, the FTC demanded that nine consulting, accounting, and forensics firms provide it with details regarding the firms’ assessments of various companies’ compliance with the PCI DSS.2 The CFPB and FTC are well aware that the PCI DSS are not legally binding. However, because PCI DSS compliance is not assessed by an independent governing body, it is likely that the FTC is seeking the above-described information in an effort to better position itself to evaluate whether firms have adopted “reasonable” data security practices based on credible third-party assessments. In the absence of specific prescriptive regulations governing data security, these tactics may be used with greater frequency in the context of the agencies’ UDAAP/UDAP examination and enforcement efforts.
The CFPB Does Not Wait for a Data Breach to Use Its Enforcement Powers
The CFPB’s Order suggests that the agency is positioning itself as a prophylactic enforcer of “reasonable” data security practices. As the Order indicates, a breach of sensitive personal information is not the only basis upon which the CFPB will bring an enforcement action concerning data security. Rather, the CFPB is prepared to bring UDAAP claims based exclusively on firms’ representations to consumers regarding their data security practices. Where those representations are deceptive based either on objective misrepresentations (e.g., statements that sensitive personal information is encrypted when, in fact, it is not) or misleading comparative statements (e.g., that a firm’s data security compliance procedures “exceed industry standards”), the CFPB may pursue an enforcement action.
What Companies Can Do Now—Other Lessons Learned
The CFPB’s action is instructive. It makes clear that the CFPB, like the FTC and state consumer protection agencies, is ready to act to regulate data security practices and to protect consumers’ data privacy interests. A firm’s failure to devote adequate attention and resources to its data security compliance can produce significant regulatory consequences. The following is a list of cautionary notes and future considerations for companies covered under Title X:
- Representations made to consumers about the types of personal data collected, how data is transmitted and to whom, and for what purposes it is shared will be scrutinized. Such representations must be consistent both with a firm’s policies and procedures and its actual practices. To the extent that these representations contain comparisons to competitors or industry practices, companies must ensure that the representations remain accurate as practices continue to evolve.
- Firms that store, process, or transmit payment card data should pay close attention to the PCI DSS and carefully evaluate their practices against these standards.
- Firm management should keep a watchful eye over data security matters, including by conducting regular audits, overseeing necessary remediation, vetting and monitoring service providers, and holding employees accountable for compliance.
- Mandatory data security training for all employees is an essential component of a firm’s compliance management system.
Compliance problems should be promptly addressed and remedied. Conducting data security testing or audits on a regular basis is critical and firms must implement changes to their data security procedures to rectify any shortfalls revealed through testing and audits.
The FTC, against vigorous opposition, has argued that firms’ failure to adopt data security measures that adequately protect consumers’ personal information amounts to an “unfair practice” in violation of Section 5 of the FTC Act. See, e.g., F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015) (upholding the FTC’s authority to regulate data security as an unfair act or practice under the FTC Act). See also In re LabMD, Inc., Docket No. 9357 (last updated Feb. 5, 2016) (involving a challenge to the FTC’s authority to regulate data security under the FTC Act).