OIG Audit Addresses Data Security Concerns at the CFPB

Financial Services Law

The independent auditor of the Office of Inspector General (OIG) of the Federal Reserve System reported on cybersecurity issues at the Consumer Financial Protection Bureau (CFPB), and the report does not quite fit the picture painted by either advocates or opponents.

What happened

You may recall that, back in January 2018, Senator Elizabeth Warren grilled CFPB Acting Director Mick Mulvaney about his decision to limit CFPB staff access to electronic data pending a review of the bureau’s cybersecurity issues. In her January 4, 2018, letter to Mulvaney, Senator Warren complained that the “CFPB cannot fulfill its core functions without collecting personally identifiable information,” and questioned whether the freeze on data collection was unfairly hamstringing the bureau’s operations.

Responding to that letter, Mulvaney wrote back to Senator Warren, claiming 233 confirmed breaches tied to the CFPB’s bureau response system, plus an additional 840 suspected breaches. Mulvaney also pointed to more than 100 consumer complaints on publicly accessible CFPB databases that contained unredacted personally identifiable information (PII), and noted the “irony” of Warren’s admitted reliance on “internal CFPB documents” to support her belief that “internal Bureau information is secure.” Without his own apparent sense of irony, however, Mulvaney (one of the CFPB’s greatest critics) likewise defended his actions by claiming he had, under Dodd-Frank, “near complete discretion and autonomy regarding how the Bureau will meet its statutory obligations.”

On February 14, 2018, the OIG finally issued its report on the independent audit of the CFPB’s privacy program and its implementation. While the formal objective of this audit was to assess the adequacy and effectiveness of the CFPB’s privacy program and its implementation, including compliance with applicable requirements to protect PII, the long-awaited report allows the public to see in more detail whether the CFPB was truly the data breach nightmare painted by the acting director, or something much less so.

The CFPB is, of course, an active collector of massive amounts of consumer and industry data. And, of course, when collecting PII, the CFPB is responsible for ensuring that it collects only the minimum amount of data necessary, that it notifies the public of these collections, and that it develops and fully implements effective physical and logical security controls to protect PII from unauthorized or inappropriate access.

The audit provides an excellent description of how the CFPB handles data, and who is responsible for maintaining it. From the report, we now understand that the CFPB’s privacy team consists of five full-time privacy professionals. The head of the privacy team is Claire Stapleton, its chief privacy officer (CPO), who is also designated as the senior agency official for privacy (SAOP). Of note to the auditors is that Ms. Stapleton does not presently report to the head of the CFPB, but rather to Linda Powell, the CFPB’s chief data officer (CDO), who in turn reports to Jerry Horton, who serves as chief information officer (CIO).

The CFPB’s Data Intake Group is responsible for vetting and approving proposed data and datasets before the CFPB collects them. The privacy team reviews proposed data collections for compliance with applicable laws and policies and makes recommendations to the CIO regarding whether to approve them. In addition, the Data Release Group is charged with determining whether the CFPB must disclose public-use datasets, and if so, the extent of disclosure. The privacy team reviews requests to ensure that the CFPB protects the privacy of individuals in the released data. This includes validating whether releases employ effective de-identification techniques to reduce the risks associated with the public disclosure of datasets.

Overall, and notwithstanding Acting Director Mulvaney’s comments in late January, the auditors found that the CFPB has substantially developed, documented and implemented a privacy program that addresses applicable federal privacy requirements and security risks related to collecting, processing, handling, storing and disseminating sensitive privacy data. Further, the auditors noted that the CFPB has documented privacy policies and procedures covering a wide range of topics, including privacy roles and responsibilities, privacy impact assessment (PIA) and system of records notice (SORN) management, training, breach notification and response, and monitoring and auditing.

That said, the auditors did identify two areas that require improvement: (1) identification and maintenance of a comprehensive inventory of PII, and (2) physical controls over the CFPB’s portable media. This led to two recommendations, both of which the CFPB has agreed to address and fix:

First, the auditors recommended that the CFPB develop and maintain a comprehensive inventory of all PII. The CFPB lacks a comprehensive inventory that identifies all PII or privacy data collected, processed, handled and stored throughout the organization. The auditor requested and obtained an inventory of the CFPB’s privacy data from the CPO, who extracted it from the CDO’s data repository. The inventory included detailed information on data collected as part of the CFPB’s core business activities. Although this inventory did clearly identify where the CFPB considered business data to be privacy-related, and whether the data required a PIA or SORN, it did not include data used by various core offices at the CFPB. The auditor therefore recommended that the CFPB develop, document and fully implement a formal process to identify, track and periodically update all PII collected, processed and stored throughout the CFPB. The auditor said that at a minimum, this inventory should clearly identify what PII the CFPB is collecting or handling, who within the CFPB is responsible for the security of PII, locations (both physical and logical) where PII is stored, and whether a privacy impact assessment or SORN is required.

The second recommendation is that the CFPB strengthen physical security controls over portable media and passwords. On a walk-through of CFPB offices, the auditors found some abuses, including that CFPB personnel routinely did not physically secure CFPB-issued laptops when leaving them unattended; one example of a CFPB staffer leaving a CFPB-issued phone and thumb drive unattended; and another CFPB employee appearing to have written down a password on a sheet of paper and left it on his or her desk. The auditor therefore recommended that the CFPB develop, document and implement a formal process for monitoring compliance with physical security requirements regarding portable media such as laptops, thumb drives and smartphones, as well as around passwords and hard copies of sensitive PII.

To review the OIG report on the CFPB’s privacy program:

Why it matters

The independent audit tends to confirm that the Mulvaney-Warren spat over data collection may be as much about politics as it is about substance. The report agreed with Acting Director Mulvaney that there are material problems at the CFPB with respect to the protection of sensitive customer information, but also that the bureau is otherwise doing a more than adequate job in attempting to keep that information secure.