Dwolla got slapped down hard on Wednesday (March 2) by the Consumer Financial Protection Bureau for a series of security violations. But due to a dearth of meaningful federal security laws, CFPB’s $100K fine of Dwolla had to follow in the footsteps of fellow federal regulator Federal Trade Commission. They can’t punish a company for what it did nearly as easily as they can punish it for not doing what it says.
That said, once Dwolla opened the door to federal investigators by boasting about its security on its Web site, every security violation discovered was fair game. Takeaway: In the same way that marketers of publicly-held companies were beaten down by senior staffers from investor relations to never say anything publicly without IR’s blessing, payment facilitators today must reign in anything involving security that even smells a little of hype. See? Our mothers were right. Boasting can deliver real problems.
Once those doors were opened, according to a federal consent order published on Wednesday, security violations aplenty were found.
“In numerous instances, (Dwolla) stored, transmitted, or caused to be transmitted the following consumer personal information without encrypting that data: first and last names; mailing addresses; Dwolla 4-digit PINs; Social Security numbers; Bank account information; and digital images of driver’s licenses, Social Security cards and utility bills. Dwolla also encouraged consumers to submit sensitive information via e-mail in clear text, including Social Security numbers and scans of driver’s licenses, utility bills, and passports, in order to expedite the registration process for new users,” the consent order said.
Dwolla issued a statement responding to the CFPB fine and details, but it didn’t even directly acknowledge the federal complaint.
The statement referred to the 7-year-old Dwolla’s early days and said that “Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.”
The Dwolla statement also opted for the security charge standby of trying to minimize the seriousness of the charges by pointing to a lack of actual fraud. The suggestion, presumably, is that if Dwolla’s security shortcuts were so bad, why didn’t any bad guys take advantage of it?
“Since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. We’ve continuously matured our data security practices since that snapshot in time and have never been more proud of our information security policies, procedures, and technologies,” Dwolla said.
One problem with that defense is that exposing customers’ sensitive data could have enabled lots of fraud, but there’s no reason that the fraud would have necessarily been detected at Dwolla. On the other hand, had massive fraud resulted, Dwolla would have likely been quickly identified as the common point of purchase—or, in this case, point of interaction.
Deana Rich, president of Rich Consulting, said she saw the federal move against Dwolla as “a big deal.”
“Failing to encrypt PII is mind boggling in 2016,” Rich said. “Security is more than fodder for your marketing meta tags.”
Indeed, the argument could be made that imprecise security references shouldn’t go anywhere near your metatags. Dwolla’s problems began with a few seemingly innocuous security boasts.
“From January 2011 to March 2014, Respondent represented, or caused to be represented, expressly or by implication, to consumers that Respondent employs reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” said the federal filing. The words that really opened the door was Dwolla’s comments that it’s data-security practices “exceed industry standards,” “surpass industry security standards,” “sets a new precedent for the industry for safety and security,” stores consumer information “in a bank-level hosting and security environment” and that Dwolla encrypts data “utilizing the same standards required by the federal government.”
All that federal investigators then had to do was prove that one of those statements was inaccurate. It then had Dwolla on committing a fraud against its customers—in federal parlance, it constitutes deceptive acts or practices—and that is something that federal law prohibits. Dwolla’s hype was akin to Al Capone’s tax evasion: it gave the feds the in they needed.
“In fact, Respondent’s data-security practices did not ‘surpass’ or ‘exceed’ industry standards. In fact, Respondent did not encrypt all sensitive consumer information in its possession at rest. In fact, Respondent’s transactions, servers, and data centers were not PCI compliant,” the federal filing said.
Dwolla is potentially the first company to ever be federally fined for not having a written incident plan. “From its launch until at least October 2013, Respondent did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information. Until at least December 2012, Respondent’s employees received little to no data-security training on their responsibilities for handling and protecting the security of consumers’ personal information. Respondent did not hold its first mandatory employee training on data security until mid-2014.”
Another cautionary tale. Dwolla retained a third-party security firm to test employees. Although failure to have had such testing may not generated federal action, Dwolla’s failure to act on the findings did. Don’t do the crime if you can’t do the time and don’t test employees unless you’re prepared to deal with the results.
“In December 2012, Respondent hired a third party auditor to perform the first penetration test of Dwolla.com. In that test, a phishing e-mail attack was distributed to Respondent’s employees that contained a suspicious URL link. Nearly half of Respondent’s employees opened the e-mail and, of those, 62 percent of employees clicked on the URL link. Of those that clicked the link, 25 percent of employees further attempted to register on the phishing site and provided a username and password,” the filing said. “Dwolla failed to address the results of this test or educate its personnel about the dangers of phishing. Dwolla did not conduct its first mandatory employee data-security training until mid-2014.”