CFPB still has not notified consumers about data breach

Rohit Chopra
Rohit Chopra, director of the Consumer Financial Protection Bureau, faces increased scrutiny and potential congressional hearings a data breach by a now-fired bank examiner who sent personal identifiable information to his own email.
Ting Shen/Bloomberg

The Consumer Financial Protection Bureau said it has not yet notified 256,000 consumers, nearly two months after data was potentially compromised by a bank examiner with access to supervisory information and large-scale data collections. 

The CFPB said it is still working with financial institutions to notify consumers about the Feb. 14 breach in which a now-former bank examiner sent supervisory information on 45 institutions, and personal identifiable information on 256,000 consumers at seven institutions to his personal email account.

The bureau said there is no evidence that the information was disseminated beyond the former examiner's email account, and it remains unclear what harm — if any — has occurred. The bureau notified lawmakers about the breach on March 21 but it took another month before the incident was first disclosed in the Wall Street Journal. 

"To sit on it for this long, and to withhold from both consumers and the affected firms that this happened and then simply dismiss it was anything important and don't worry about it —  it is hard to imagine the CFPB would be okay if some private company did that," said Todd Zywicki, a law professor at George Mason University and senior fellow at the Cato Institute. "I know I have in the past gotten data breach notifications even where there was no evidence of any actual harm, just to alert me that it had happened."

Banks typically must report an outage or security breach within 36 hours of the incident being detected to their primary regulator — either the Federal Deposit Insurance Corp., the Federal Reserve or the Office of the Comptroller of the Currency — under a Biden administration rule that went into effect last year. The reporting requirements also cover tech vendors of banks that are affected by cybersecurity incidents.

The CFPB said the personal identifiable information on 256,000 consumers primarily included names and transaction-specific account numbers used internally by a financial institution. The data could not be used to gain access to a consumer's bank account, the bureau said.

The CFPB's data breach has exacerbated issues of trust with supervised entities and highlighted for some a double standard that exists in how the CFPB deals with its own security breach and how it treats security breaches at institutions it supervises.

"Mistakes happen, and that's what institutions always tell the bureau, and so the table has been turned," said Lucy Morris, a partner at Hudson Cook and a former CFPB deputy enforcement director. "Just like they expect companies to fully identify and remediate errors, they should do the same." 

The bureau has strict rules around companies disclosing confidential supervisory information with financial institutions being required to get permission to disclose. Several experts said the bureau now has special insight into understanding what a company goes through when a typical breach occurs. 

"Would it be fair to punish or fine a regulated institution when its primary enforcement agency commits the very same negligent mistakes?" said David Stein, a partner at Taft Stettinius & Hollister LLP in Columbus, Ohio. "No company suffers a data breach without a lot of hand-wringing and it's really important for the bureau to understand that every person who touches data can be a weak link."

The breach could also evolve into a political issue that may further gum up the works of the agency, which is already responding to numerous documentation requests. Two Republican lawmakers, Sen. Tim Scott, ranking member of the Senate Banking Committee, and Rep. Bill Huizenga, R-Michigan, who chairs the House Financial Services subcommittee on oversight & investigations, have called for CFPB Director Rohit Chopra to explain what happened. Huizenga asked for a staff briefing by April 25, Scott expects a briefing by May 8. Many expect Chopra may be called to testify at a congressional hearing. 

Both lawmakers asked for more information on remediation efforts to consumers, and any changes to mitigate further breaches and to address privacy concerns. The CFPB said it referred the breach to the Office of Inspector General, which declined to comment. It is not known if the bank examiner has been arrested or charged with theft of government property under 18 U.S.C. § 641, which makes it a crime to steal, sell, or dispose of any record, or something of value issued by the government.

The breach also has renewed concerns about the massive amount of information the CFPB collects and requests from financial institutions. Last year, Chopra announced that the CFPB would take action to protect consumers "from shoddy data security practices." The CFPB even published a circular on data security that provided non-binding guidance on the potential misuse and abuse of personal financial data including an explanation as to how and when a financial firm may violate the prohibition on "unfair acts or practices," in the Consumer Financial Protection Act.

Chopra also emphasized that financial companies can be held liable for engaging in "unfair" practices, a violation of the prohibition against "unfair, deceptive and abusive acts and practices," known as UDAAP. 

"Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse," Chopra said last year

Others questioned why employees have so much access to so much information and why the employee was caught after already accessing so much data. The CFPB has had little patience or sympathy for institutions about the data requests, some said. 

"The enormous amount of highly sensitive information that they ask for in exams and other sensitive information in other contexts, and the expectation that it will all be provided quickly and easily," Morris said. "And here they have their own problems." 

She added that "companies always say they shouldn't be punished with UDAAP and law enforcement penalties, and now the bureau can see that for themself." 

On the other hand, there are so many data breaches everywhere, and plenty of them are "inside jobs," that few are surprising, lawyers said. Most consumers likely have reset their privacy expectations, and many already knowingly hand over passwords and other personal information to third-party fintechs to access financial applications.  

The data breach also raises questions about how secure the CFPB's internal data is and whether it is adhering to advanced security procedures. The Government Accountability Office issued a report in 2014 that found the bureau needed to improve its privacy and security given the large-scale data it collects. 

At the time, the bureau had created a data intake and risk-management process, but GAO requested that more privacy controls be enacted and that more training of staff was needed. Some experts have questioned whether the CFPB took action at the time to safeguard its information security practices.

"There was a withering GAO report expressing concern about CFPB's data protection policies [and] it was never clear to me what CFPB had done to shore that up, if anything," Zywicki said. "It relates to this question of how much data the CFPB collects, what they use it for [and] who has access to it."

For reprint and licensing requests for this article, click here.
Politics and policy Regulation and compliance CFPB News & Analysis
MORE FROM AMERICAN BANKER