CFPB Enters into First Consent Order with Online Payment Platform for Misrepresenting Data Security Practices

March.03.2016

On March 2, the CFPB took action against an Iowa-based online payment platform and entered into a Consent Order for deceptive acts and practices relating to false representations regarding the company’s data security practices in violation of 1031(a) and 1036 (a)(1) of the Consumer Financial Protection Act of 2010. The CFPB ordered the company to pay a $100,000 fine and to take certain remedial steps to improve their cybersecurity practices. Notably, this action is the result of the company’s failure to have adequate controls in place; it is not the result of a breach incident. Similar to other regulators, the CFPB will likely pay increasing attention to cybersecurity and data privacy issues as the understanding of its significance grows.

The Consent Order states that, despite representations to the contrary, the company (i) misrepresented the quality and efficacy of its cybersecurity and data privacy practices by stating that all personal data on its site was “safe” and “secure” and that its practices “exceeded” industry standards; (ii) did not properly encrypt consumer data; and (iii) failed to provide employees with sufficient cyber training.

In addition to the fine imposed, the company must (i) adopt reasonable and appropriate data security measures to protect consumers’ personal information; (ii) establish, implement, and maintain a comprehensive data security plan and appropriate data security policies and procedures; (iii) designate a qualified person to coordinate and be accountable for the data security program; (iv) conduct data security risk assessments twice annually; (v) conduct regular employee training; (vi) address required security patches to fix vulnerabilities identified in any web or mobile application; (vii) develop, implement and maintain appropriate method of customer identity authentication at registration and before effecting funds transfer; (viii) address procedures for selection and retention of service providers; and (ix) obtain an annual data security audit from an independent, qualified third party on short and specified timeframes. The Consent Order also prohibits the company from future violations of sections 1031(a) and 1036(a)(1) of the CFPA in connection with marketing, advertising, and promotion or administration of its electronic payment networks.

The Board is required to review all plans, reports, programs, policies and procedures required by the Consent Order prior to submission to the CFPB and authorize any necessary actions for the company to fully comply with the Consent Order. The Board will have ultimate responsibility for “proper and sound management” of the company and for ensuring that it complies with Federal consumer financial law and the Consent Order.

The Consent Order also contains various reporting, recordkeeping and compliance monitoring requirements. Finally, the Consent Order does not bar the CFPB, or any other governmental agency, from taking additional action against the company

Questions regarding the matters discussed may be directed to any of the persons listed in this alert, or to any other Orrick attorney with whom you have consulted in the past.

Authors

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

View Beth's webcasts & speaking engagements, news mentions and publications.