Consumer reporting agencies are companies that collect, maintain, and sell vast amounts of sensitive data. In 2017, a breach at Equifax, one of the largest of these companies, compromised at least 145.5 million consumers' data.
Consumers have little control over what information these companies have, so federal oversight is important—and it could be improved. For example, the Consumer Financial Protection Bureau doesn't routinely consider data security risk when prioritizing its examinations of these companies.
We recommended improving federal enforcement of data safeguards and oversight of these companies' security practices.
A woman holding various forms of ID at a computer screen showing the names of the 3 reporting agencies.
What GAO Found
Why GAO Did This Study
GAO recommends that Congress consider giving FTC civil penalty authority to enforce GLBA’s safeguarding provisions. GAO also recommends that CFPB (1) identify additional sources of information on larger CRAs, and (2) reassess its prioritization of examinations to address CRA data security. CFPB neither agreed nor disagreed with GAO’s recommendations.
Matter for Congressional Consideration
|Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1)||
|As of June 2023, Congress has not passed legislation to provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act.|
Recommendations for Executive Action
|Consumer Financial Protection Bureau||The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1)||
Closed – Implemented
|Consumer Financial Protection Bureau||The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2)||