GAO Report Recommends Stronger Oversight of CRAs to Protect Consumers against Data Breaches

GAO Report Recommends Stronger Oversight of CRAs to Protect Consumers against Data Breaches

Written By ESR News Blog Editor Thomas Ahearn

On March 29, 2019, United States Senator Elizabeth Warren (D-MA) and Chairman of the House Oversight and Reform Committee Elijah Cummings (D-MD) released the findings of a report entitled “Actions Needed to Strengthen Oversight of Consumer Reporting Agencies” that focused on federal regulation of consumer reporting agencies (CRAs) and made recommendations for protecting consumer information against data breaches, according to a press release on Senator Warren’s website.

GAO Report about CRAs & Data Breaches

The report from the Government Accountability Office (GAO) was requested by Senator Warren and Chairman Cummings in September of 2017 only days after nationwide CRA Equifax revealed a massive data breach that affected over 145 million Americans. The GAO recommended that the Federal Trade Commission (FTC) be given stronger civil penalty authority to enforce laws that protect consumer data, and that the Consumer Financial Protection Bureau (CFPB) improve oversight and supervision of CRAs.

“The Equifax breach revealed major gaps in how CRAs protect and use consumers’ private information, and the report we released today confirms that vulnerabilities still exist. The GAO has issued very clear recommendations on how to protect consumers, so let’s follow them,” Senator Warren and Chairman Cummings stated in the press release. “We need to give the FTC more tools to crack down on consumer data abuses and the CFPB needs to do its job, hold these firms accountable, and protect consumers.”

According to the report, the FTC has settled 34 enforcement actions against various entities related to consumer reporting violations of the federal Fair Credit Reporting Act (FCRA) since 2008, including 17 actions against CRAs. Some of these settlements included civil penalties – fines for wrongdoing that do not require proof of harm – for FCRA violations or violations of consent orders. Since 2015, the CFPB has had five public settlements with CRAs. Four of these settlements included alleged violations of FCRA.

As defined in the GAO report: “CRAs collect, maintain, and sell to third parties large amounts of sensitive data about consumers, including Social Security numbers and credit card numbers. Businesses and other entities commonly use these data to determine eligibility for credit, employment, and insurance. In 2017, Equifax, one of the largest CRAs, experienced a breach that compromised the records of at least 145.5 million consumers. GAO was asked to examine issues related to federal oversight of CRAs.”

The report concluded: “The 2017 data breach of Equifax highlighted the data security risks associated with CRAs. While companies in many industries have experienced data breaches, CRAs may present heightened risks because of the scope of sensitive information they possess and because consumers have very limited control over what information CRAs hold and how they protect it. These challenges underscore the importance of appropriate federal oversight of CRAs’ data security.”

Warren and Cummings released the report in advance of a hearing of the House Oversight and Reform Subcommittee on Economic and Consumer Policy on improving cybersecurity at CRAs. This is the second GAO report on the Equifax data breach requested by Senator Warren and Chairman Cummings. The first report – “Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach” – was released in August 2018 and revealed significant failures by Equifax that were exploited by hackers.

“The massive data breach suffered by nationwide credit reporting agency Equifax in September 2017 that impacted more than 145 million Americans – almost half of the country – was a wake-up call for all industries to improve information security,” said Attorney Lester Rosen, founder and Chief Executive Officer (CEO) of Employment Screening Resources® (ESR). “The need for background screening firms that handle the personal data of job applicants to ensure information security has become mission critical.”

Data Breaches Lead to More Focus on Information Security with CRAs

In light of recent data breach incidents, consumer reporting agencies (CRAs) in the United States need to show data breach protection and information security capabilities on domestic and international fronts and this trend was chosen by global background check provider Employment Screening Resources® (ESR) as first on the list of “ESR Top Ten Background Check Trends” for 2019. For a complete list of the trends, please visit www.esrcheck.com/Tools-Resources/ESR-Top-Ten-Background-Check-Trends/.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2019 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.