For the first time, the Consumer Financial Protection Bureau (CFPB) entered the data security enforcement arena, announcing that it took action against online payment platform Dwolla. Dwolla collects and stores personally identifiable information, including customers’ names, dates of birth, Social Security numbers and banking information. NMHC has been following cyber policy and regulatory developments carefully because of the highly sensitive personally identifiable information that firms and their service providers collect. This information is valuable to data thieves and those wishing to do harm to a company’s reputation or financial standing.
The CFPB alleged that Dwolla violated the Consumer Financial Protection Act’s unfair, deceptive or abusive practices or acts provision because the company mispresented its data security practices. In particular, the CFPB did not identify a breach or other intrusion. Instead, the CFPB asserted that Dwolla’s website and communications were deceptive because they promise a level of data security that Dwolla did not provide until recently.
As we reported, the Federal Trade Commission (FTC) has taken similar actions against companies for failing to “reasonably protect” consumers’ information by using its authority under the FTC Act to pursue unfair and deceptive acts. Other federal agencies like the Securities and Exchange Commission and Department of Justice have also been engaged in this area.
Despite the absence of a federal data security standard, we are seeing an increasing amount of enforcement actions by federal regulators. Additionally, data security is being enforced with varying levels of consumer protection and security protocols in 47 states and the District of Columbia.
NMHC/NAA have been engaged with federal policymakers to advocate for a regulatory and compliance landscape that protects consumers while not overly burdening apartment companies. We will continue to follow enforcement actions and their regulatory implications. In addition, we recommend that apartment firms put in place strong defenses to protect their company networks, data and, ultimately, reputations.
Additional information on data security can be found at www.nmhc.org/data-security.