On May 15, the Office of Inspector General for the Consumer Financial Protection Bureau issued findings in a report entitled The CFPB Can Improve Its Practices to Safeguard the Office of Enforcement’s Confidential Investigative Information (the Report), stemming from an evaluation to determine whether the Bureau has effective controls to manage and safeguard access to Confidential Investigative Information (CII). The Report found that the Bureau’s practices could be improved. According to the findings, the Bureau’s Office of Enforcement (Office) allowed 113 unique users to have access to databases in which there was CII—which may include personally identifiable information—about companies that were subject to reviews by enforcement staff. Of those 113 users, 72 were still employed by the CFPB but did not have a need for access to that information, the report said.

Specifically, the OIG determined users continued to have access to at least one electronic application when it was no longer relevant to the performance of the users’ assigned duties. The OIG also cited instances of improper handling and safeguarding of sensitive information and inconsistent naming conventions for matters across its four electronic applications and two internal drives, which impeded the Office’s ability to verify, maintain, and terminate access to files. The OIG noted in the report that during its assessment the Office took several steps to correct these issues.

The OIG presented the following recommendations: (i) enhance practices for managing access rights to matter folders; (ii) improve the handling of printed sensitive information; and (iii)establish a standard naming convention for electronically stored information.