Congress should consider giving the Federal Trade Commission (FTC) civil penalty authority to enforce the Gramm-Leach-Bliley Act’s (GLBA) safeguarding provisions for information gathered by consumer reporting agencies (CRAs), the Government Accountability Office (GAO) stated in a Feb. 21 report released Tuesday.
The GAO report also recommended that the Consumer Financial Protection Bureau (CFPB) do two additional things: identify additional sources of information on larger CRAs; and reassess the bureau’s prioritization of examinations to address CRA data security. CFPB neither agreed nor disagreed with GAO’s recommendations, the congressional watchdog said.
GAO said it conducted the study of CRAs after it was asked by two Democratic senators and two Democratic House members (respectively, Rod Wyden of Oregon, Elizabeth Warren of Massachusetts, Maxine Waters of California, and Elijah Cummings of Ohio) to examine issues related to federal oversight of CRAs. The GAO said its resulting report, among other things, discusses:
- measures the FTC has taken to enforce CRA compliance with requirements to protect consumer information,
- measures the CFPB has taken to ensure CRA protection of consumer information, and
- actions consumers can take after a breach.
“GAO reviewed relevant laws, documentation related to CRA examinations, and policies and practices of selected CRAs; and interviewed representatives of regulatory agencies, CRAs, consumer and industry groups, and Attorneys General from four states with consumer reporting requirements,” the agency said in its report.
GAO noted that it found in its study that if a CRA experiences a data breach, affected consumers can take actions to mitigate the risk of identity theft – such as implementing a fraud alert or credit freeze – and can file a complaint with the FTC or the CFPB. “However, consumers are limited in the direct actions they can take against the CRA,” GAO reported. “Consumers generally cannot exercise choice in the consumer reporting market – such as by choosing which CRAs maintain their information – if they are dissatisfied with a CRA’s privacy or security practices.
“In addition, according to CFPB, consumers cannot remove themselves from the consumer reporting market entirely because they do not have a legal right to delete their records with CRAs,” GAO stated. “This limited control by consumers, coupled with the large amount and sensitive nature of the information CRAs possess, underscores the importance of appropriate federal oversight of CRAs’ data security.”
GAO report 19-196: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies