Special Alert: CFPB Enters into First Consent Order with Online Payment Platform for Misrepresenting Data Security Practices
March 3, 2016
On March 2, the CFPB took action against an Iowa-based online payment platform and entered into a Consent Order for deceptive acts and practices relating to false representations regarding the company’s data security practices in violation of 1031(a) and 1036 (a)(1) of the Consumer Financial Protection Act of 2010. The CFPB ordered the company to pay a $100,000 fine and to take certain remedial steps to improve their cybersecurity practices. Notably, this action is the result of the company’s failure to have adequate controls in place; it is not the result of a breach incident. Similar to other regulators, the CFPB will likely pay increasing attention to cybersecurity and data privacy issues as the understanding of its significance grows.
The Consent Order states that, despite representations to the contrary, the company (i) misrepresented the quality and efficacy of its cybersecurity and data privacy practices by stating that all personal data on its site was “safe” and “secure” and that its practices “exceeded” industry standards; (ii) did not properly encrypt consumer data; and (iii) failed to provide employees with sufficient cyber training.
Questions regarding the matters discussed in this Alert may be directed to any of the persons listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.