Consumer Data Protection: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies
Consumer reporting agencies are companies that collect, maintain, and sell vast amounts of sensitive data. In 2017, a breach at Equifax, one of the largest of these companies, compromised at least 145.5 million consumers' data.
Consumers have little control over what information these companies have, so federal oversight is important—and it could be improved. For example, the Consumer Financial Protection Bureau doesn't routinely consider data security risk when prioritizing its examinations of these companies.
We recommended improving federal enforcement of data safeguards and oversight of these companies' security practices.
A woman holding various forms of ID at a computer screen showing the names of the 3 reporting agencies.
What GAO Found
Why GAO Did This Study
Recommendations
GAO recommends that Congress consider giving FTC civil penalty authority to enforce GLBA’s safeguarding provisions. GAO also recommends that CFPB (1) identify additional sources of information on larger CRAs, and (2) reassess its prioritization of examinations to address CRA data security. CFPB neither agreed nor disagreed with GAO’s recommendations.
Matter for Congressional Consideration
Matter | Status | Comments |
---|---|---|
Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1) | As of August 2021, Congress has not passed legislation to provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. |
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Consumer Financial Protection Bureau | The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1) |
In July 2020, CFPB staff noted that they have reviewed state CRA registration information available to them, are working to obtain additional state registration information, and are exploring additional ways to leverage the information. GAO will continue to monitor CFPB's progress in leveraging additional sources of information that would help identify larger participant CRAs. As of July 2021, CFPB had not made additional progress on implementing this recommendation.
|
Consumer Financial Protection Bureau | The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2) |
In July 2020, CFPB staff noted that they were assessing whether, and if so, how and when, to incorporate data security risks into their supervisory prioritization. As part of that evaluation, CFPB is assessing whether those processes should incorporate data security risks CRAs pose to consumers in light of the agency's statutory authorities, supervisory responsibilities, and resources. GAO will continue monitoring CFPB's assessment of prioritization of CRA data security risks. As of July 2021, CFPB had not made additional progress on implementing this recommendation.
|