For more than 18 months, the Consumer Financial Protection Bureau has not completed key steps in a plan to control data access for individuals who lost bureau-issued laptop computers, the CFPB’s independent inspector general said in a report today. In June 2016, the inspector general warned that the bureau has been unable to account fully for laptops issued to employees since the agency was created, and it identified actions the bureau should take to mitigate risks from unaccounted-for laptops.
The IG report said the CFPB has assessed the effect of loss of the laptops and strengthened controls for sensitive data on mobile devices but “has not completed all the steps outlined in our early alert memorandum related to the data access actions of individuals to whom the unaccounted-for laptops were assigned.” The full report was restricted from public view due to the sensitivity of the matter. While the bureau employs full-disk encryption on laptops, lost or stolen devices may result in releases of confidential information or be used as a threat vector, the IG said.