On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) issued a press release describing its first data security action, including its consent order that requires Dwolla, Inc., an online payment website, to pay a $100,000 penalty and fix its security practices.

Dwolla owns and operates an online payment network that allows consumers to transfer funds to another consumer's account or to a merchant. In order to open a Dwolla account, consumers must provide personal information such as their:

From January 2011 through March 2014, Dwolla told consumers that its data security practices exceeded industry standards and its network provided safe and secure transactions. The CFPB, however, determined that Dwolla did not employ reasonable and appropriate measures to protect consumer data, and in fact, not all consumer data was encrypted as the company stated. Additionally, Dwolla failed to adopt or implement a data security plan to govern the collection, maintenance, and storage of consumers' personal information during the relevant time period. The company also failed to perform appropriate risk assessments, train its employees, and comply with Payment Card Industry Data Security Standards.

Acting under the Dodd-Frank Wall Street Reform and Consumer Protection Act, and in addition to the monetary penalty, the CFPB has ordered Dwolla to:

The CFPB order also requires Dwolla's board of directors to take specific oversight actions. A copy of the CFPB order can be found on the CFPB website.