Dwolla docked dollars for its data security
US payments start-up Dwolla has been fined $100,000 by the Consumer Financial Protection Bureau (CFPB) for its data security.
Data security issues included: “Use appropriate measures to identify reasonably foreseeable security risks; ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks; use encryption technologies to properly safeguard sensitive consumer information; and practice secure software development, particularly with regard to consumer-facing applications developed at an affiliated website, Dwollalabs.”
In a rambling and vague blog post on 2 March called “We are never done”, Dwolla says it “has never been the company’s intent to mislead anyone”, after being hit with the fine.
Problems have also arisen when Ben Milne, Dwolla’s founder and CEO, spoke at Bank Innovation 2016 (29 February – 1 March), and failed to mention the impending consent order from the CFPB.
Because of Milne’s omission, Bank Innovation published its own blog post on 2 March.
Bank Innovation says: “To wit, the list of data the CFPB said Dwolla did not encrypt, whether in storage or during transmission:
- first and last names;
- mailing addresses;
- Dwolla 4-digit PINS;
- Social Security numbers;
- Bank account information; and
- digital images of driver’s licences, Social Security cards and utility bills.”
As Bank Innovation points out, Dwolla’s blog post “did not admit any wrongdoing. Rather, it pointed out that it has never been a victim of a data breach”.
Dwolla is now required to fix its security practices and the $100,000 fine is due within ten days.
Dwolla was founded in 2008 with services initially based only in Iowa. It launched in the US in December 2010. Along with Milne, the other founder is Shane Neuerburg (CTO).
More details about the issue can be found on the Bank Innovation blog post.
Dwolla holler
Banking Technology contacted Dwolla for their comments on this news story and they responded on the same day (4 March).
The company ignored some points raised, but a Dwolla spokesperson says: “The specific language of the consent order makes one claim of deceptiveness regarding past statements made by the company. The company has already apologized for any confusion that it may have caused.”
The company says its blog post clarifies the situation.
The official statement from CFPB is here.
The Dwolla spokesperson adds: “I should also note that the [Banking Technology] article’s mention regarding Ben’s [Milne] talk at BI2016 is a bit unfair. The protocols, procedures, and requirements involved in these matters are extremely sensitive. We were not about to pre-empt an announcement by a federal agency (which came out the day after the talk). This could be seen as an attempt to influence the news cycle. We can only be reactive. In that sense, I think it’s noteworthy that we, as a company, wrote an apology blog post. That’s a lot more than other fined companies have ever done.”