Consumer Data Protection: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies
GAO-19-196
Published: Feb 21, 2019. Publicly Released: Mar 26, 2019.
Fast Facts
Consumer reporting agencies are companies that collect, maintain, and sell vast amounts of sensitive data. In 2017, a breach at Equifax, one of the largest of these companies, compromised at least 145.5 million consumers' data.
Consumers have little control over what information these companies have, so federal oversight is important—and it could be improved. For example, the Consumer Financial Protection Bureau doesn't routinely consider data security risk when prioritizing its examinations of these companies.
We recommended improving federal enforcement of data safeguards and oversight of these companies' security practices.
A woman holding various forms of ID at a computer screen showing the names of the 3 reporting agencies.
Highlights
What GAO Found
Since 2008, the Federal Trade Commission (FTC) has settled 34 enforcement actions against various entities related to consumer reporting violations of the Fair Credit Reporting Act (FCRA), including 17 actions against consumer reporting agencies (CRA). Some of these settlements included civil penalties—fines for wrongdoing that do not require proof of harm—for FCRA violations or violations of consent orders. However, FTC does not have civil penalty authority for violations of requirements under the Gramm-Leach-Bliley Act (GLBA), which, unlike FCRA, includes a provision directing federal regulators and FTC to establish standards for financial institutions to protect against any anticipated threats or hazards to the security of customer records. To obtain monetary redress for these violations, FTC must identify affected consumers and any monetary harm they may have experienced. However, harm resulting from privacy and security violations can be difficult to measure and can occur years in the future, making it difficult to trace a particular harm to a specific breach. As a result, FTC lacks a practical enforcement tool for imposing civil money penalties that could help to deter companies, including CRAs, from violating data security provisions of GLBA and its implementing regulations.
Since 2015, the Consumer Financial Protection Bureau (CFPB) has had five public settlements with CRAs. Four of these settlements included alleged violations of FCRA; and three included alleged violations of unfair, deceptive, or abusive practices provisions. CFPB is also responsible for supervising larger CRAs (those with more than $7 million in annual receipts from consumer reporting) but lacks the data needed to ensure identification of all CRAs that meet this threshold. Identifying additional sources of information on these CRAs, such as by requiring them to register with the agency through a rulemaking or leveraging state registration information, could help CFPB ensure that it can comprehensively carry out its supervisory responsibilities. According to CFPB staff, the bureau does not have authority to examine for or enforce the GLBA’s safeguards provisions. After the Equifax breach, however, CFPB used its existing supervisory authority to examine the data security of certain CRAs. CFPB’s process for prioritizing which CRAs to examine does not routinely include an assessment of companies’ data security risks, but doing so could help CFPB better detect such risks and prevent the further exposure or compromise of consumer information.
If a CRA experiences a data breach, affected consumers can take actions to mitigate the risk of identity theft—such as implementing a fraud alert or credit freeze—and can file a complaint with FTC or CFPB. However, consumers are limited in the direct actions they can take against the CRA. Consumers generally cannot exercise choice in the consumer reporting market—such as by choosing which CRAs maintain their information—if they are dissatisfied with a CRA’s privacy or security practices. In addition, according to CFPB, consumers cannot remove themselves from the consumer reporting market entirely because they do not have a legal right to delete their records with CRAs. This limited control by consumers, coupled with the large amount and sensitive nature of the information CRAs possess, underscores the importance of appropriate federal oversight of CRAs’ data security.
Why GAO Did This Study
CRAs collect, maintain, and sell to third parties large amounts of sensitive data about consumers, including Social Security numbers and credit card numbers. Businesses and other entities commonly use these data to determine eligibility for credit, employment, and insurance. In 2017, Equifax, one of the largest CRAs, experienced a breach that compromised the records of at least 145.5 million consumers.
GAO was asked to examine issues related to federal oversight of CRAs. Among other things, this report discusses (1) measures FTC has taken to enforce CRA compliance with requirements to protect consumer information, (2) measures CFPB has taken to ensure CRA protection of consumer information, and (3) actions consumers can take after a breach. GAO reviewed relevant laws, documentation related to CRA examinations, and policies and practices of selected CRAs; and interviewed representatives of regulatory agencies, CRAs, consumer and industry groups, and Attorneys General from four states with consumer reporting requirements.
Recommendations
GAO recommends that Congress consider giving FTC civil penalty authority to enforce GLBA’s safeguarding provisions. GAO also recommends that CFPB (1) identify additional sources of information on larger CRAs, and (2) reassess its prioritization of examinations to address CRA data security. CFPB neither agreed nor disagreed with GAO’s recommendations.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1) | As of February 2025, Congress has not passed legislation to explicitly provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. However, in September 2023, a federal district court found that FTC has such authority under existing law. We will continue to monitor the status of this matter. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Consumer Financial Protection Bureau | The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1) |
In July 2020, CFPB staff noted that they had reviewed state credit reporting agency/company (CRA) registration information available to them, were working to obtain additional state registration information, and were exploring additional ways to leverage the information. In September 2023, CFPB added that the agency has now leveraged state registration information for CRAs to identify additional CRAs and determine if they meet the larger participant (LP) threshold. CFPB added that their Office of Supervision Policy is monitoring or aware of 87 CRAs that may be considered or excluded as potential LPs. Of those, just under 20 came from state registration or licensing lists. CFPB excluded most of those as potential LPs because their products did not fit the LP rule's definition of "consumer financial product or service." This review left two CRAs identified from the state information remaining, and the Office of Supervision Policy collected additional information from these companies and from it determined that only one of the CRAs met the $7M annual receipts threshold and had business activities that met the definition of "consumer reporting" in the LP rule. By leveraging the state information, CFPB has taken a cost-effective means to identify known and lesser known CRAs under its authority. The information also will help ensure that the agency has more comprehensive information for carrying out its supervisory responsibility, and help CFPB better detect data security risks and prevent further exposure or compromise of consumer information.
|
| Consumer Financial Protection Bureau | The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2) |
In February 2025, CFPB noted that it had incorporated data security risk into its process for identifying entities for examination. CFPB provided GAO documents that showed that CFPB staff include field market intelligence, which includes technology and systems risk, as part of the process for prioritizing entities for review. Documents provided to GAO also showed that CFPB management had incorporated data breaches and cybersecurity attacks as a factor in the prioritization process.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Compliance oversightConsumer complaintsConsumer protection lawsConsumer protectionConsumersFinancial institutionsFinancial productsIdentity theftInformation securityPersonally identifiable informationPrivacy