On September 22, 2014, the U.S. Government Accountability Office ("GAO") published a report on the Consumer Financial Protection Bureau's ("CFPB") collection of consumer financial data entitled, "Some Privacy and Security Procedures for Data Collections Should Continue Being Enhanced" ("Report"). The Report discussed the CFPB’s adoption of privacy and data security policies and procedures to protect the financial consumer data it collects for use in its rulemakings, examinations, and reports (e.g., the Report states that the CFPB anonymizes large scale data collections). However, the Report also stated that many of these policies and procedures are not fully documented or implemented. To help improve the CFPB's data security efforts, the GAO issued recommendations for the CFPB, including:
Establishing or enhancing written procedures for:
- Data intake;
- Anonymizing data;
- Evaluating privacy risks;
- Auditing privacy controls; and
- Documenting information security risk assessment results.
Implementing privacy and security steps, including:
- Obtaining reviews of the CFPB's privacy practices;
- Implementing privacy training;
- Updating remedial plans for the information system to include identified weaknesses; and
- Evaluating compliance with contract provisions of the CFPB's service provider that processes consumer financial data for the CFPB.