Skip to Highlights
Highlights

The growth of information resellers--companies that collect and resell publicly available and private information on individuals--has raised privacy and security concerns about this industry. These companies collectively maintain large amounts of detailed personal information on nearly all American consumers, and some have experienced security breaches in recent years. GAO was asked to examine (1) financial institutions' use of resellers; (2) federal privacy and security laws applicable to resellers; (3) federal regulators' oversight of resellers; and (4) regulators' oversight of financial institution compliance with privacy and data security laws. To address these objectives, GAO analyzed documents and interviewed representatives from 10 information resellers, 14 financial institutions, 11 regulators, industry and consumer groups, and others.

Skip to Recommendations

Recommendations

Matter for Congressional Consideration

Matter Status Comments
Safeguarding provisions of FCRA and GLBA do not apply to all sensitive personal information held by information resellers. To ensure that such data are protected on a more consistent basis, Congress may wish to consider requiring information resellers to safeguard all sensitive personal information they hold.
Closed - Implemented
Congress has considered several bills since 2006 that would have required information resellers and a broader class of businesses to better safeguard sensitive personal information. For example, in December 2009, the House of Representatives passed H.R. 2221, the Data Accountability and Trust Act, which would have required the FTC to write rules to enhance data security safeguards. Also in December 2009, the Senate Committee on the Judiciary reported S. 1490, the Personal Data Privacy and Security Act of 2009, which also called for enhanced safeguards for personal information.
As Congress considers how best to protect data maintained by information resellers, it may wish to consider whether to expand more broadly the class of entities explicitly required to safeguard sensitive personal information.
Closed - Implemented
Congress has considered several bills since 2006 that would have required information resellers and a broader class of businesses to better safeguard sensitive personal information. For example, in December 2009, the House of Representatives passed H.R. 2221, the Data Accountability and Trust Act, which would have required the FTC to write rules to enhance data security safeguards. Also in December 2009, the Senate Committee on the Judiciary reported S. 1490, the Personal Data Privacy and Security Act of 2009, which also called for enhanced safeguards for personal information.
If Congress were to choose to expand safeguarding requirements, it may wish to consider providing the implementing agencies with sufficient flexibility to account for the wide range in the size and nature of entities that hold sensitive personal information.
Closed - Implemented
Bills introduced in Congress since 2006 to safeguard sensitive personal information have generally included rulemakings and other provisions to allow sufficient flexibility to implement the provisions among different types of entities. For example, H.R. 2221, the Data Accountability and Trust Act, would have required the FTC to write rules to enhance data security safeguards.
To ensure that the Federal Trade Commission has the tools it needs to most effectively act against data privacy and security violations, Congress may wish to consider providing the agency with civil penalty authority for its enforcement of the Gramm-Leach-Bliley Act's privacy and safeguarding provisions.
Closed - Implemented
According to the Federal Trade Commission, since our report was published in 2006, several bills have been introduced in Congress related to data protection and identity theft that would give FTC enhanced civil penalty authority for its enforcement of Gramm-Leach-Bliley. Most recently, the House-passed version of H.R. 4173 would have provided such enhanced authority in this area.

Recommendations for Executive Action

Agency Affected Recommendation Status
Other State insurance regulators, individually and in concert with the National Association of Insurance Commissioners, should take additional measures to ensure appropriate enforcement of insurance companies' compliance with the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. As a first step, state insurance regulators and NAIC should follow up appropriately on deficiencies related to compliance with these provisions that were identified in the recent nationwide survey as part of a broader targeted examination of GLBA privacy and safeguarding requirements.
Closed - Implemented
The National Association of Insurance Commissioners (NAIC), in coordination with state regulators, took several actions in response to GAO's recommendation, including the following: (1) identified insurance groups and companies that had deficiencies identified in its 2005 nationwide survey related to compliance with the privacy and safeguarding provision of the Gramm-Leach-Bliley Act; (2) requested that state insurance regulators conduct a review of these deficiencies; (3) conducted monthly conference calls to devise an action plan for addressing the deficiencies; and (4) requested that state regulators follow-up on deficiencies in their examinations. According to NAIC, as of September 13, 2007, all individual or company group investigations were complete with no additional recommended follow-up or action. In addition, NAIC said that it and state insurance departments have continued to proactively monitor privacy issues through the use of specific health and financial privacy codes as part of the NAIC's Complaint Database System.

Full Report

GAO Contacts