WASHINGTON (Legal Newsline) - The facts leading to $100,000 in fines were not on the side of the first company targeted by the Consumer Financial Protection Bureau over data privacy concerns, a Reed Smith attorney says.
The CFPB imposed fines against Dwolla, a financial transaction company, a month ago in the first enforcement action brought over data security concerns since legislation granted the CFPB the authority to do so.
According to the CFPB, Dwolla must also correct its data security practices after investigators found it had insecurely collected consumers' sensitive payment information since 2009.
“The facts were particularly bad for Dwolla,” said Nicholas Smyth, an attorney with Reed Smith in Pittsburgh and Washington, D.C.
“The accusations were that Dwolla claimed to have real, ‘industry-leading’ technology, but the CFPB alleges they had really sub-par security practices.”
Dwolla bills itself as a digital payment network that “securely connects with U.S banks and credit unions to enable safe, fast, bank transfers.”
Smyth said that Dwolla’s liability stems from substandard industry practices for financial data.
“Bottom line is, whether a company is saying it’s got good practice or not, what matters is are the practices strong? Are they protecting the data?" Smyth said.
Smyth said he works with a number of companies in the financial tech sector and that these companies are taking data security seriously. His clients often invest “millions and millions” in ensuring they are in line with financial regulations.
Dwolla, he said, did not seem to be a reflection of the industry as a whole.
Smyth has written that the ruling demonstrates, for the first time, that the CFPB now has jurisdiction over data security practices in the financial sector.
The case further highlights, Smyth said, the need for companies operating in the financial sector to be proactive about their data security measures. He said the potential liability from data breach cases is “just massive.”
But even beyond that, he said, even the perception that a company is not protecting financial data could be disastrous to companies handling transactions on a daily basis.
“For a FinTech company, your reputation is everything,” Smyth said. “You can’t afford a data breach … they recognize that all it takes is one breach and that can kill your business.”