Equifax may be expecting sanctions from both the Consumer Financial Protection Bureau and the Federal Trade Commission over the credit reporting agency’s massive data breach that exposed the personal information of 148 million U.S. consumers to hackers, but one prominent government watchdog is calling for those agencies to have even more authority over Equifax and the like.
The Government Accountability Office released a report this week that recommends that the CFPB and the FTC be given (or take in the CFPB’s case) increased authority over Equifax, Transunion, Experian, and any other credit reporting agencies.
Specifically, the GAO calls for the FTC to given more authority by Congress to levy financial penalties against credit reporting agencies for neglecting to protect consumers’ financial data.
The GAO also calls for the CFPB to increase and improve its oversight of the credit reporting agencies, including potentially expanding its supervision to include credit reporting agencies that it does not currently oversee.
According to the GAO report, the FTC has authority to seek enforcement actions against credit reporting agencies for violating the Fair Credit Reporting Act, which the FTC has done 17 times since 2008.
As the report noted, some of those actions led to settlements that included civil penalties — “fines for wrongdoing that do not require proof of harm” — for FCRA violations or violations of consent orders.
But, the FTC does not have civil penalty authority for violations of requirements under the Gramm-Leach-Bliley Act, which includes a provision that directs federal regulators and the FTC to establish standards that financial institutions must meet in terms of their ability to protect against any anticipated threats or hazards to the security of customer records.
The issue, according to the GAO, is that to obtain monetary damages or compensation for such violations, the FTC is required to specifically identify affected consumers and any monetary harm they may have experienced as a result of the violations.
But in the case of a data breach, like the one at Equifax, the financial ramifications may not be felt until many years after the fact.
“Harm resulting from privacy and security violations can be difficult to measure and can occur years in the future, making it difficult to trace a particular harm to a specific breach,” the GAO writes. “As a result, FTC lacks a practical enforcement tool for imposing civil money penalties that could help to deter companies, including CRAs, from violating data security provisions of GLBA and its implementing regulations.”
As the GAO notes, the FTC has taken “significant enforcement actions” against credit reporting agencies in the past for violations of federal privacy or data security laws, but the GAO states that the agency should have “all of the appropriate enforcement options” at its disposal when dealing with credit reporting agencies.
“The remedies that FTC does have available under GLBA—such as disgorgement and consumer redress—may be less practical enforcement tools for violations involving breaches of mass consumer data,” the GAO notes. “Accordingly, providing FTC with civil penalty authority can enable it to more effectively or efficiently enforce GLBA’s privacy and safeguarding provisions.”
As for the CFPB, the GAO report notes that the agency has had five public settlements with credit reporting agencies since 2015. Four of those settlements included alleged violations of the FCRA, while three included alleged violations of unfair, deceptive, or abusive practices provisions.
Under its existing authority, the CFPB supervises credit reporting agencies that make more than $7 million in annual receipts from consumer reporting. According to the GAO report, CFPB staff told GAO investigators that the agency is tracking between 10 to 15 credit reporting agencies that might qualify as larger market participants, and therefore qualify for CFPB supervision.
But the CFPB staff said that the 10 to 15 agencies it’s tracking “may not comprise the entirety of larger market participants, because CRAs’ receipts form consumer reporting may vary from year to year, and CFPB has limited data to determine whether CRAs meet the threshold.”
Put simply, the CFPB is not currently able to determine the size of all the credit reporting agencies and can therefore not determine which agencies to supervise.
The GAO wants that to end, and wants the bureau to fully oversee the credit reporting industry.
“Using additional methods to obtain information, such as requiring larger market participant CRAs to register with the agency or leveraging state registration information, would help CFPB ensure it is tracking all CRAs under its supervision and is providing appropriate oversight,” the GAO writes.
Additionally, the GAO report states that the CFPB has not considered data security a priority when determining which credit reporting agencies to examine. The GAO wants that to change too.
“Given the nature and amount of consumer information CRAs hold, as well as increasing threats from hackers and others with malicious intent, vulnerabilities in these companies’ data security can pose significant risk to a vast number of consumers,” the GAO writes. “By ensuring that its process for determining the scope of CRA examinations routinely includes factors that would detect data security risks, CFPB can better ensure the effectiveness of its supervision and help prevent further exposure or compromise of consumer information.”
To remedy these problems, the GAO suggests that Congress should consider giving the FTC civil penalty authority under the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to “help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations.”
Additionally, the GAO states that the CFPB should:
- Identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold
- Assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks
The report was requested by Sen. Elizabeth Warren, D-Mass., and Chairman of the House Oversight and Reform Committee Rep. Elijah Cummings, D-Md., just eight days after the Equifax breach was first disclosed in 2017.
In a joint statement, the Democrats stated that the amount of data held by the credit reporting agencies still poses a serious risk to consumers.
“The Equifax breach revealed major gaps in how CRAs protect and use consumers’ private information, and the report we released today confirms that vulnerabilities still exist,” Warren and Cummings said. “The GAO has issued very clear recommendations on how to protect consumers, so let's follow them. We need to give the FTC more tools to crack down on consumer data abuses and the CFPB needs to do its job, hold these firms accountable, and protect consumers.”
To read the full GAO report, click here.