On March 30, the Consumer Financial Protection Bureau (CFPB) released its final rule on Section 1071, which directed the disclosure of consumer data for the agency’s discretion. Three weeks later, the agency compromised the data of over a quarter million consumers, leaving many concerned about the agency’s security. Before granting themselves access to more sensitive data, the bureau should table this rulemaking and clarify its process for ensuring that data is safe from exposure.
The CFPB claims that a former employee is responsible for the data leak. That employee is believed to have illegally sent consumer data from seven different firms to the employee’s personal email. The last public update on the status of these emails was from Wednesday, April 19th. According to the update, the data is still in the former employee’s possession. The agency has described this as a “major incident,” with many questions regarding the safe return of this data still unanswered.
Concerns regarding the agency’s lack of transparency have also come up. Though the data leak only came to the public’s attention recently, the agency revealed it became aware of this issue on February 14, over two months ago. Why the former employee has yet to relinquish sensitive consumer information remains unknown.
Representative Patrick McHenry (R-NC), Chair of the House Financial Services Committee, expressed concern over the CFPB’s inability to protect consumer data. Particularly concerning now since the bureau has proposed new rules to empower its access to consumer data.
The Section 1071 rule directs lenders to give small business loan applicants the option to provide demographic information. Though the provision of data is optional, lenders are incentivized to respond since the CFPB has stated that low response rates could be a sign of illegally discouraging potential borrowers. Given the bureau’s history of targeting small lenders on dubious loan discouragement charges, businesses would be wise to maintain high response rates.
Though Section 1071 has received a myriad of criticisms, including raising overhead costs considerably, the recent leaks have exposed a less discussed concern — data security. It is alarming that an employee could send sensitive information out of the bureau’s network so easily. The failures in existing procedures need to be addressed before more consumers are put in harm’s way. Additionally, compliance with the new regulatory rules will further increase the exposure of sensitive personal consumer information.
The CFPB has a plan in place to avoid events like this. Under this plan, the bureau seeks to minimize the amount of personally identifiable information (PII) that it receives. According to their website, PII is only collected when necessary for working on consumer issues. Additionally, transparency in this process is purportedly held in high regard, with consumers being made aware when their data is collected. The bureau uses the Privacy Impact Assessment (PIA) to determine the potential of data exposure and compare it with the potential value of collecting consumer information.
Why the PIA was unable to prevent the most recent leak remains unclear. The agency will need to clarify whether the leak resulted from failures in the PIA or not following procedures.
If the agency needs to make changes to the process, it could increase costs above what is already estimated for the Section 1071 rule. The CFPB will need to create proven systems to ensure that the information they have access to cannot be easily stolen or shared. Such protections will cost money, both in the form of updated security and potential inefficiencies caused by adding additional security. The public needs more transparency regarding the costs and evidence their new system will not result in the same leaks.
A full audit of these events is needed to restore confidence in the bureau, particularly among small business owners. Only through analyzing mistakes can processes be implemented to prevent their continued occurrence. Until this happens, the Section 1071 rule should be tabled.
For the sake of consumers, further expansions to the bureau’s access to consumer data must be met with a high degree of skepticism.
Isaac Schick is a policy analyst at the American Consumer Institute, a nonprofit education and research organization. For more information about the Institute, visit www.TheAmericanConsumer.Org or follow us on Twitter @ConsumerPal.