Guest post by Natalie Prescott and Cynthia Larose – Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
According to the FBI, “there are only two types of companies: those that have been hacked and those that will be.” It does not take an actual data breach, however, for a company to be liable for its data security practices. In March 2016, the Consumer Financial Protection Bureau (CFPB) made this clear when it settled its first-ever data security enforcement action against an online payment processing company, Dwolla. The CFPB pursued Dwolla because it found the company’s representations to customers about its cybersecurity misleading – disregarding the fact that Dwolla had never, since its inception, experienced even a single reported cybersecurity incident. As a part of the settlement, Dwolla agreed to sign a Consent Order, pay a $100,000 fine, take certain steps to improve its data security for the next five years, and make accurate representations to consumers. The Dwolla case offers important guidance to FinTech companies and provides a framework for data protection and preparedness plans.