The Consumer Financial Protection Bureau announced it will once again begin collecting private consumer data after completing a review of its cybersecurity defenses.
In a memo to the agency’s staff reviewed by HousingWire, CFPB Acting Director Mick Mulvaney announced Thursday the data collection will continue.
“When I first arrived at the Bureau, I was concerned that the information the Bureau collects about consumers could fall prey to hackers or other actors,” Mulvaney said in the memo. “So, out of an abundance of caution and a desire to protect Americans’ privacy, I placed a hold on the collection of personally identifiable information and other sensitive data.”
But he announced in the memo that now, after an exhaustive review by outside experts, including a comprehensive “white-hat hacking” effort, the bureau can now lift that hold.
Back in December, Mulvaney drew fire from Democrats when he announced his decision to freeze the collection of consumer data.
Sen. Elizabeth Warren, D-Mass., was highly critical of the decision, and sent the acting director a letter saying his response went too far and is impacting the bureau’s ability to regulate the companies it oversees.
“Like Director Mulvaney, I take ‘data security very, very seriously’ and share his conviction that institutions – whether government agencies or private companies – must be responsible stewards of the sensitive consumer data they hold,” Warren writes in the letter. “However, after reviewing the reports, their recommendations, and CFPB’s response, I believe Director Mulvaney’s actions are unjustified and that he inappropriately used the reports as a pretext to halt and weaken critical agency functions.”
The fight over data collection at the bureau is not a new issue.
Back in 2014, the Government Accountability Office released a study saying the CFPB was collecting financial data on up to 600 million consumer credit card accounts without sufficient security and privacy protections to ensure there is no risk of improper collection, use, or release of consumer financial data.
But the CFPB argued that wasn’t the case.
At the time, the CFPB explained to HousingWire, “Data is essential for effective financial regulation. It allows regulators to see how markets are functioning and monitor the impact of rules,” Gilford said. “As GAO stated in its report, ‘[p]rior to and during the 2007-2009 financial crisis, [GAO] and others noted that the lack of data on consumer financial products and services hindered federal oversight in areas such as mortgages and fair lending.’”
Now, after completing its own study, the review concluding that externally facing bureau systems appear to be well-secured. Mulvaney also announced he will take action on the recommendations of the third-party review.
“For instance, during the white-hat exercise, some people opened emails which, had they been sent by someone other than the outside experts, could have contained a virus or served to help capture sensitive data,” he said in the memo. “Therefore, we will step up our employee and contractor training on how to detect and deal with suspicious emails.”
Mulvaney explained those involved in data collection will hear from the division office leadership soon with guidance on how to resume collecting information, and what to tell outside financial institutions about the decision.
“This process has been an important exercise in holding ourselves to the same high standards to which we hold the entities we oversee,” Mulvaney said. “I appreciate your patience and all of the hard work involved in making sure we are good stewards of such sensitive information.”