Personal Information:

Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data

GAO-06-674: Published: Jun 26, 2006. Publicly Released: Jul 26, 2006.

Additional Materials:

Contact:

Alicia P. Cackley
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The growth of information resellers--companies that collect and resell publicly available and private information on individuals--has raised privacy and security concerns about this industry. These companies collectively maintain large amounts of detailed personal information on nearly all American consumers, and some have experienced security breaches in recent years. GAO was asked to examine (1) financial institutions' use of resellers; (2) federal privacy and security laws applicable to resellers; (3) federal regulators' oversight of resellers; and (4) regulators' oversight of financial institution compliance with privacy and data security laws. To address these objectives, GAO analyzed documents and interviewed representatives from 10 information resellers, 14 financial institutions, 11 regulators, industry and consumer groups, and others.

Financial institutions such as banks, credit card companies, securities firms, and insurance companies use personal data obtained from information resellers to help make eligibility determinations, comply with legal requirements, prevent fraud, and market their products. For example, lenders rely on credit reports sold by the three nationwide credit bureaus to help decide whether to offer credit and on what terms. Some companies also use reseller products to comply with PATRIOT Act rules, to investigate fraud, and to identify customers with specific characteristics for marketing purposes. GAO found that the applicability of the primary federal privacy and data security laws--the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA)--to information resellers is limited. FCRA applies to information collected or used to help determine eligibility for such things as credit or insurance, while GLBA only applies to information obtained by or from a GLBA-defined financial institution. Although these laws include data security provisions, consumers could benefit from the expansion of such requirements to all sensitive personal information held by resellers. The Federal Trade Commission (FTC) is the primary federal agency responsible for enforcing information resellers' compliance with FCRA's and GLBA's privacy and security provisions. Since 1972, the agency has initiated formal enforcement actions against more than 20 resellers, including the three nationwide credit bureaus, for violating FCRA. However, FTC does not have civil penalty authority under the privacy and safeguarding provisions of GLBA, which may reduce its ability to enforce that law most effectively against certain violations, such as breaches of mass consumer data. In overseeing compliance with privacy and data security laws, federal banking and securities regulators have issued guidance, conducted examinations, and taken formal and informal enforcement actions. A recent national survey sponsored by the National Association of Insurance Commissioners (NAIC) identified some noncompliance with GLBA by insurance companies, but state regulators have not laid out clear plans with NAIC for following up to ensure these issues are adequately addressed.

Matters for Congressional Consideration

  1. Status: Closed - Implemented

    Comments: According to the Federal Trade Commission, since our report was published in 2006, several bills have been introduced in Congress related to data protection and identity theft that would give FTC enhanced civil penalty authority for its enforcement of Gramm-Leach-Bliley. Most recently, the House-passed version of H.R. 4173 would have provided such enhanced authority in this area.

    Matter: To ensure that the Federal Trade Commission has the tools it needs to most effectively act against data privacy and security violations, Congress may wish to consider providing the agency with civil penalty authority for its enforcement of the Gramm-Leach-Bliley Act's privacy and safeguarding provisions.

  2. Status: Closed - Implemented

    Comments: Bills introduced in Congress since 2006 to safeguard sensitive personal information have generally included rulemakings and other provisions to allow sufficient flexibility to implement the provisions among different types of entities. For example, H.R. 2221, the Data Accountability and Trust Act, would have required the FTC to write rules to enhance data security safeguards.

    Matter: If Congress were to choose to expand safeguarding requirements, it may wish to consider providing the implementing agencies with sufficient flexibility to account for the wide range in the size and nature of entities that hold sensitive personal information.

  3. Status: Closed - Implemented

    Comments: Congress has considered several bills since 2006 that would have required information resellers and a broader class of businesses to better safeguard sensitive personal information. For example, in December 2009, the House of Representatives passed H.R. 2221, the Data Accountability and Trust Act, which would have required the FTC to write rules to enhance data security safeguards. Also in December 2009, the Senate Committee on the Judiciary reported S. 1490, the Personal Data Privacy and Security Act of 2009, which also called for enhanced safeguards for personal information.

    Matter: As Congress considers how best to protect data maintained by information resellers, it may wish to consider whether to expand more broadly the class of entities explicitly required to safeguard sensitive personal information.

  4. Status: Closed - Implemented

    Comments: Congress has considered several bills since 2006 that would have required information resellers and a broader class of businesses to better safeguard sensitive personal information. For example, in December 2009, the House of Representatives passed H.R. 2221, the Data Accountability and Trust Act, which would have required the FTC to write rules to enhance data security safeguards. Also in December 2009, the Senate Committee on the Judiciary reported S. 1490, the Personal Data Privacy and Security Act of 2009, which also called for enhanced safeguards for personal information.

    Matter: Safeguarding provisions of FCRA and GLBA do not apply to all sensitive personal information held by information resellers. To ensure that such data are protected on a more consistent basis, Congress may wish to consider requiring information resellers to safeguard all sensitive personal information they hold.

Recommendation for Executive Action

  1. Status: Closed - Implemented

    Comments: The National Association of Insurance Commissioners (NAIC), in coordination with state regulators, took several actions in response to GAO's recommendation, including the following: (1) identified insurance groups and companies that had deficiencies identified in its 2005 nationwide survey related to compliance with the privacy and safeguarding provision of the Gramm-Leach-Bliley Act; (2) requested that state insurance regulators conduct a review of these deficiencies; (3) conducted monthly conference calls to devise an action plan for addressing the deficiencies; and (4) requested that state regulators follow-up on deficiencies in their examinations. According to NAIC, as of September 13, 2007, all individual or company group investigations were complete with no additional recommended follow-up or action. In addition, NAIC said that it and state insurance departments have continued to proactively monitor privacy issues through the use of specific health and financial privacy codes as part of the NAIC's Complaint Database System.

    Recommendation: State insurance regulators, individually and in concert with the National Association of Insurance Commissioners, should take additional measures to ensure appropriate enforcement of insurance companies' compliance with the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. As a first step, state insurance regulators and NAIC should follow up appropriately on deficiencies related to compliance with these provisions that were identified in the recent nationwide survey as part of a broader targeted examination of GLBA privacy and safeguarding requirements.

    Agency Affected: National Association of Insurance Commissioners

 

Explore the full database of GAO's Open Recommendations »

Dec 11, 2014

Dec 10, 2014

Nov 18, 2014

Nov 13, 2014

Oct 10, 2014

Sep 30, 2014

Sep 22, 2014

Jul 9, 2014

May 14, 2014

Looking for more? Browse all our products here