GAO Recommends Beefing Up FTC, CFPB Enforcement of Nonbank Data Privacy

To mitigate the risk of data breaches like the Equifax breach in 2017, the Federal Trade Commission should have civil penalty authority to enforce the consumer privacy requirements of the Gramm-Leach-Bliley Act, the Government Accountability Office said in a report today. Although the FTC oversees GLBA privacy compliance for nonbanks, it must identify customers affected by a breach, making it difficult to trace specific harms to a particular breach.

The GAO also said that the Consumer Financial Protection Bureau, which has supervisory authority over large consumer reporting agencies, should identify additional sources of information to ensure it is supervising all the CRAs that it should be, and that the bureau should prioritize data security in its examinations of CRAs.

The report notes that banks and credit unions—which are supervised for GLBA compliance by their primary regulators—are subject to regular IT exams with cybersecurity components and already have the civil money penalty authority the GAO is recommending for the FTC.