CFPB criticized by Fed for poor data security

A report issued by the Federal Reserve System Office of the Inspector General asserts that the Consumer Financial Protection Bureau failed to properly secure sensitive data it gathered for regulation and in investigations.

A report issued by the Federal Reserve System Office of the Inspector General asserts that the Consumer Financial Protection Bureau failed to properly secure sensitive data it gathered for regulation and in investigations. The full report can be found here.

According to the report, the “inconsistent safeguarding of printed sensitive information” can be attributed to a “lack of awareness” among CFPB employees about guidelines for handling sensitive information, as well as a lack of office-specific procedural guidance. “As a result, CFPB employees use inconsistent practices for handling and safeguarding sensitive information, increasing the risk of inadvertent and unauthorized disclosures,” the OIG report stated.

The report noted two kinds of failures. The first were technical oversights.  The OIG’s report found that 113 unique users had access to at least one electronic application within the CFPB’s Office of Enforcement after it was no longer necessary to their specific job duties. In some cases, former employees who left the bureau would have been able to access sensitive information. According to the OIG report, these users continued to have access “largely because of the Office of Enforcement’s challenges with updating access rights.”

The second type of failure was decidedly low-tech. The OIG’s investigation found that the CFPB didn’t take even simple steps to prevent improper access to confidential information, such as using cover sheets and locking employees’ office doors. “We found that CFPB employees do not consistently follow agency expectations for safeguarding printed sensitive information,” the OIG’s report claimed. All documents generated at the CFPB automatically get a standard cover sheet regardless of the document’s content and sensitivity level. In addition, attorneys and paralegals do not label documents in accordance with CFPB’ guidelines.

The bureau’s “labeling and storage standards were inconsistently followed and its naming conventions for investigative files were inconsistent, which could increase the risk of unauthorized disclosures” the report found.

It is unknown if any inappropriate disclosures took place, but the conditions for such a disclosure were apparently present, according to the OIG’s report. The CFPB states that no disclosures took place, and is addressing the concerns raised by the report. “The bureau agrees with each of the recommendations, has already implemented some of these recommendations, and will take steps to implement the remainder,” said a CFPB representative.