WASHINGTON — The Government Accountability Office is recommending a stronger regulatory approach at two agencies to protect consumer financial data.
The GAO's report, which calls for a stronger role by the Federal Trade Commission and Consumer Financial Protection Bureau, came at the request of Sen. Elizabeth Warren, D-Mass., and Rep. Elijah Cummings, D-Md., chairman of the House Oversight and Reform Committee.
The two lawmakers, who released the report's findings on Tuesday, had asked the watchdog to examine regulatory authorities over the credit bureaus in the wake of the 2017 Equifax data breach, which compromised the personal information of roughly 148 million Americans.
The GAO recommended that the FTC be given stronger civil penalty authority to enforce laws that protect consumer data, and that the CFPB improve its oversight and supervision of credit reporting agencies.
"The Equifax breach revealed major gaps in how CRAs protect and use consumers' private information, and the report we released today confirms that vulnerabilities still exist,” Warren and Cummings said in a joint statement. "The GAO has issued very clear recommendations on how to protect consumers, so let's follow them. We need to give the FTC more tools to crack down on consumer data abuses and the CFPB needs to do its job, hold these firms accountable, and protect consumers."
Under the Gramm-Leach-Bliley Act, the FTC is currently unable to impose civil penalties against credit reporting agencies hit by data breaches that expose consumer information. The only remedies it has available are disgorgement and consumer redress, which the report said “may be less practical enforcement tools for violations involving breaches of mass consumer data.”
“Providing FTC with civil penalty authority can enable it to more effectively or efficiently enforce GLBA’s privacy and safeguarding provisions,” the GAO report said.
The report found that the CFPB currently lacks the data to identify all credit reporting agencies under its jurisdiction. The GAO recommends requiring all credit reporting agencies to register with the CFPB to improve the regulator’s supervision and oversight.
The report also recommends that the director of the CFPB assess whether the agency's process for prioritizing credit bureau examinations sufficiently incorporates the data security risks they pose to consumers, and take any needed steps to better incorporate these risks.
The lawmakers released the report ahead of a House Oversight hearing Tuesday to examine the recommendations, as well as efforts by the FTC and the CFPB to oversee consumer reporting agencies' handling of consumer data.
