Continued consumer bureau exams of credit reporting cybersecurity depend on priorities, GAO reports

Continuing cybersecurity examinations of consumer reporting agencies (CRAs), such as Equifax and other credit reporting organizations, will be conducted by the federal consumer financial protection – but only if cybersecurity is identified as a priority for the agency, according to a report issued Friday.

The Government Accountability Office (GAO) stated in a report on the response to last year’s massive breach of credit reporting agency Equifax that staff of the Bureau of Consumer Financial Protection (BCFP, formerly known as CFPB) said that whether the consumer bureau continues to conduct cybersecurity examinations at CRAs “will depend on whether they identify the issue as a priority through future examination prioritization processes.”

The GAO report (“Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach“) addresses the data security hack revealed in the summer of 2017 last year resulted in the personal information of at least 145.5 million individuals being illegally accessed.

The report notes that BCFP and the Federal Trade Commission (FTC) are the two federal agencies with primary oversight responsibilities for CRAs, and that they opened an investigation into the breach and the Equifax response in September 2017. “The investigation is ongoing,” the report states.

But the report also indicates that the consumer agency’s oversight of the CRAs of late has largely focused on compliance with Fair Credit Reporting Act requirements related to accuracy and resolving consumer disputes.

However, the report states that BCFP staff, in discussion with GAO, noted that the agency has authority to examine larger CRAs for any unfair, deceptive, or abusive acts or practices and to bring enforcement actions against CRAs of all sizes for such acts or practices. “According to BCFP staff, in some cases, a CRA could commit an unfair, deceptive, or abusive act or practice or violation of other applicable law in connection with its data security practices,” the report states.

In October 2017, the consumer agency staff told GAO, BCFP began conducting targeted data security and cybersecurity examinations. Those exams followed what BCFP said was  a large volume of consumer complaints following the Equifax breach. BCFP staff said they use such complaints as one factor to prioritize future supervisory examinations, as well as investigations and enforcement actions.

In addition to assessing whether the CRAs’ data security practices and policies constitute violations of federal consumer financial law, the agency also began assessing risks to consumers posed by potential cybersecurity lapses and to markets for consumer financial products and services, GAO said.

But, the consumer bureau staff told GAO, whether such exams continue depends on the agency’s priorities.

Data Protection:Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach