The Consumer Financial Protection Bureau (CFPB), an organization created through the signing of Dodd Frank is changing its scope and is paying much more attention in regards to cybersecurity.  Previously, the bureau’s main focus has been consumer protection, performing safety and soundness exams for financial institutions.  As of Wednesday (3/2), the CFPB has begun trekking into the cybersecurity landscape, announcing actions taken towards an e-commerce company, Dwolla, and its data security practices.  This is a large change from the CFPB’s previous scope of target organizations as Dwolla is not required to be FFIEC guideline compliant and is an organization within a much less regulated industry.



Dwolla, a company that specializes in P2P transfers, agreed to pay a $100,000 fine and submit a semi-annual risk assessment of its technical assets, stemming from a lack of strong controls related to data protection.  Though Dwolla states that they have never experience a data breach, the CFPB has declared that the company does not maintain ‘reasonable and appropriate measures’ to security store sensitive non-public personal information (NPPI).  One area in specific that Dwolla was weak was the controls surrounding encryption of sensitive data at rest.

Industry professionals believe that many government organizations, including the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC) and the CFPB are paying more attention to how companies maintain their sensitive data to protect from a data breach, rather than how they respond to an incident.

Whether this fining of Dwolla due to poor data protection practices is a warning shot to the industry just for example sake or is the start of something much larger is unclear, but the only thing that is for sure is that the government is definitely paying much more attention to the way companies, even those from unregulated industries, collect, store, protect, and transmit sensitive information.  In Massachusetts, all companies in the Commonwealth who store sensitive data are required to have a written information security program, or WISP, which discusses internal controls used to protect this data.  If a company does not have this control in place, they could be subject to an audit and legal fines.

Have any questions regarding CFPB Fines? Contact a certified GraVoc Employee below

Related articles


Pin It on Pinterest

Share This