CFPB report on data collection is silent on threat of breaches
The Consumer Financial Protection Bureau this week issued a report and a request for information as part of an effort to assess the effectiveness of how data is collected, used and reused.
Acting CFPB Director Mick Mulvaney has repeatedly pointed to data security as a defect at the bureau and in December directed the CFPB’s staff to stop collecting any personally identifiable data.
At the time, Mulvaney claimed the CFPB had suffered hundreds of data breaches and halted all enforcement actions for about six months.
But the CFPB's 199-page report on data collection, released late Tuesday, makes no mention of data breaches, and only twice mentions data gaps. The report’s appendix includes more than 130 pages describing the CFPB’s sources and uses of data and data governance policies, including a list of the bureau’s 188 data collections to date.
The report noted that in January the CFPB signed an interagency agreement with the Department of Defense to leverage its so-called “risk and vulnerability assessment services” to identify potential gaps in cybersecurity controls.
The bureau said risk assessors found "no critical findings" after completing an assessment this spring.
“The review concluded that overall the Bureau’s security posture is well-organized and maintained,” the report stated.
The CFPB's 11-page RFI is seeking feedback on best practices for data governance and privacy, and how the bureau can improve its processes “for collecting data, managing data, and releasing data.”
The CFPB specified that it is not seeking comment on the bureau's consumer complaint process, which it already sought public comment on through one of a series of RFIs on many aspects of the agency's work.
Rather, the CFPB wants input on what changes it should make to the sources, uses and scope of its data collections, including the use of confidential supervisory or investigation information to inform other bureau functions.
The CFPB also wants to know how it can reduce the burden on potential furnishers of data, and how to make data collection requests from financial institutions “more effective and efficient.”
House Republicans for years have raised security concerns about the CFPB’s methods for collecting and storing data, with the intent of reducing overall data collection, typically by citing privacy concerns.