The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.
Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.
The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:
- failed to encrypt some types of sensitive personal information, including social security numbers
- did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
- failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
- provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
- released applications to the public without having tested whether they were secure.