Until now, the primary federal agency regulating data security has been the Federal Trade Commission. Indeed, in August 2015, the Third Circuit in the Wyndham Worldwide case affirmed the FTC’s regulatory enforcement authority against companies failing to take appropriate action to protect consumer financial information. However, other federal regulatory agencies are now increasing asserting their authority with respect to data security issues, including in particular, the Consumer Financial Protection Bureau (CFPB), which recently brought its first data security enforcement action. These developments underscore the fact that companies face a growing regulatory exposure relating to cybersecurity issues. The specific recent developments also highlight the expectations regulators are asserting with respect to board responsibility for cybersecurity issues and establish that companies can face data security enforcement action even if the companies have not themselves experienced a data breach.
The CFPB Enforcement Action
Earlier this year, the CFPB brought its first data security enforcement action, against Dwolla, Inc., an Iowa-based start-up in the online payment processing industry. As discussed in the Consent Order that the company reached with the agency (here), the CFPB alleged that Dwolla had misrepresented its data security practices. In order to resolve the allegations, the company agreed to pay a $100,000 penalty and to implement a number of data security-related procedures. The agency’s press release regarding the Dwolla enforcement action can be found here. A June 7, 2016 post on the WSGR Data Advisor Blog about the CFPB enforcement action against Dwolla can be found here.
In connection with its delivery of services as an online payment platform, Dwolla collected personal information from users, including bank account information (along with rounting numbers, passwords and PINs.). The CFPB alleged that the company made numerous representations about the quality of its security provisions protecting this information. The CFPB alleged further that contrary to the company’s representations, the company “failed to employ reasonable and appropriate measures to protect data from consumers from unauthorized access” and that the company’s data-security practices did not “surpass” or “exceed” industry standards. The agency alleged further that company failed to adopt and implement data security procedures that were reasonable and appropriate for the company or to use appropriate measures to identify reasonably foreseeable security risks.
The agency alleged that these statements were likely to mislead consumers. The agency alleged further that the misrepresentations were material because they were likely to affect consumers decisions whether to join Dwolla’s payment processing network.
Under the terms of the consent order, Dwolla agreed to pay the $100,000 penalty and to implement reasonable and appropriate data security measures to protect consumer’s personal information. Among other things, in addition to refraining from misrepresentations about its data security, the company must, among other things, establish a written comprehensive security plan; adopt and implement reasonable data security policies; and conduct data-security assessments in key operational areas at least twice annually.
Of particular note, the consent order put specific responsibilities on Dwolla’s board to ensure that the company complies with federal consumer financial laws and with the order. Dwolla’s board must review the independent auditor’s findings and within 30 days develop a plan to correct deficiencies.
There are several interesting things about this CSFB enforcement action. Of perhaps the greatest significance, the agency’s enforcement action did not follow a data breach. There were no allegations involving the occurrence of a security incident or even of a consumer complaint (indeed, following the agency’s announcement of the order, the company confirmed that there had been no breach, incident, or complaint). The agency’s enforcement action was based solely on the companies’ disclosures about its data security practices, as well as the alleged mismatch between the disclosures and the practices. This fact is worth emphasizing – it would likely come as news to many companies that they could get hit with a data security enforcement action even if they have not experienced a data breach, incident, or even a consumer complaint.
Of course, not every company is subject to the CFPB’s regulatory authority; the CFPB regulates entities that provide consumer financial products or services, a regulatory beat that cuts a wide swath through the economy, particularly as the agency has interpreted its regulatory authority. Just the same, many, if not most, companies are not subject to the CFPB’s regulatory reach. However, these other companies should not overlook the lessons of this case, as it is clear that a variety of federal agencies are increasingly interested in asserting their regulatory authority over data security issues.
The lesson of this case – that is, that a company can face a regulatory enforcement action based solely on disclosure practices alone, even if it has not experienced a data breach, security incident, or even a customer complaint – is one that every company should heed, even those that are not subject to CFPB regulation.
One other interesting aspect of the Consent Order in the Dwolla case is that, as the law firm memo to which I linked above notes, it “places significant responsibility for Dwolla’s data security practices and compliance with the order directly on Dwolla’s board of directors.” The lesson here, as the law firm memo notes, is that boards “should be aware of the role that the CFPB appears to expect them to play I ensuring that their companies have reasonable and appropriate data security practices in place and would be wise to review how their boards provide oversight and management of data security at their companies.”
The SEC’s Enforcement Actions
As discussed here, in September 2015, in what was described at the time as the SEC’s first cybersecurity-related enforcement action, the SEC announced that it had entered a settlement St. Louis-based investment advisor R.T. Jones Capital Equities Management, Inc., based on charges that the company had failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
Earlier this week, the agency announced a further data security enforcement action. In a June 8, 2016 press release (here), the agency announced that Morgan Stanley Smith Barney LLC had agreed to pay a $1 million penalty to settle charges that as a result of its alleged failure to adopt written policies and procedures reasonably designed to protect customer data, some customer information was hacked and offered for sale online. Specifically, the agency alleged that, as result of the company’s alleged data security weaknesses, a company employ impermissibly accessed and transferred to his personal server data regarding about 730,000 accounts. Some of the information later was hacked by third parties. Portions of the confidential data were posted on the Internet with offers to sell larger quantities. A copy of the agency’s cease-and-desist order in the matter can be found here.
According to a June 9, 2016 Law 360 article about the SEC’s action (here), the Morgan Stanley fine is the largest the SEC has imposed yet for violations of the so-called safeguards rule, which requires firms to adopt policies and procedures to safeguard customer information. The article also includes a statement from one prominent commentator that the fine is “the most significant SEC cybersecurity-related action to date,” and shows that the agency is ” is ready to take its place with the big boy privacy regulators.” The fine also shows that the SEC is ready and willing to use its power under the safeguards rule to police companies that fall behind on cybersecurity, even if the firm is a victim of a data breach.
The enforcement actions described above show that a number of federal regulatory agencies are taking it upon themselves to police data security, and that the number of federal agencies involved is growing. The CFPB’s action against Dwolla is particularly interesting as it highlights the fact that a company need not experience a data breach in order to face a data security regulatory enforcement action; a company’s data security-related disclosures along might be sufficient to trigger regulatory interest.
The two SEC enforcement actions mentioned above did in fact involve data breach incidents. However, the SEC, too, likely will focus on disclosure-related issues as well. Indeed, the agency has long-standing cybersecurity disclosure guidelines. What CFPB’s data security enforcement action against Dwolla shows is that a regulatory agency might bring a disclosure-related data security enforcement action, even in the absence of a data breach, incident, or customer complaint. As I noted above, this development represents a cautionary tale for all companies, even those that are not subject to the CFPB’s regulatory authority. Among other things, other companies are subject to the SEC’s authority, and the next agency to bring a disclosure-only data security enforcement action could be the SEC (or for that matter another agency). I have long thought that sooner or later the SEC will seize upon the right set of circumstances to make an example of a company as a way to reinforce the agency’s messages about cybersecurity exposure.
Finally, the CFPB’s expectations for Dwolla’s board. The requirement for the Dwolla board seem to represent a sort of template for the actions at least one regulator expects boards to be taking with respect to data security issues. The standards implied in the Dwolla consent order could have a deeper significance for boards as well; to the extent regulators expect boards to meet those standards, boards failing to meet the standards could face potential liability exposures. The threat of this type of exposure is most apparent with respect to boards of companies that have entered specific undertakings with regulators, like the consent order in the Dwolla case. But there is a larger concern that regulators will hold other boards to similar standards, including standards for responsibility and accountability.
While the way these issues may play out remains to be seen. The one thing that is sure is that the activity of regulators in this area will increase and not decrease; we likely will continue to see additional regulators becoming active in this space as well.
No Insurance Coverage for Insured’s Indemnification of Payment Card Processor’s Payment Card Industry (PCI) Assessment: In what is, as noted in a post on the Wiley Rein Executive Summary blog (here), an important development because it represents one of the first instances were a court has interpreted the language of a cyber insurance policy, a court has held that P.F. Chang’s cyber policy does not cover the company’s indemnification of its credit card transaction processor for a Payment Company Industry (PCI) assessment against the processor following a data breach.
On May 31, 2016, District of Arizona Judge Stephen McNamee granted the insurer’s motion for summary judgment on the question of coverage regarding the PCI assessment for which P.F. Chang had indemnified the processor. The court agreed with the insurer that the company itself had not suffered a “privacy injury” within the meaning of the policy with respect to the assessment. However, the Court did say that the PCI assessment potentially could come within the policy’s “Privacy Notification Expenses” and “Extra Expenses” coverages. Nevertheless, he concluded that the PCI assessment was not covered as a result of a policy exclusion policy barring coverage for “any loss on account of any claim, or for any expense … based upon, arising from or in consequence of any … liability assumed by any insured under any contract or agreement..” The court held that this provision prohibited coverage because P.F. Chang’s had assumed its payment processor’s liability as part of their processing agreement. A copy of the May 31, 2016 order can be found here.
The Orrick, Herrington & Sutcliffe law firm’s June 7, 2016 post on its Policyholder Insider blog about the P.F. Chang cyber liability insurance coverage decision can be found here.