WASHINGTON–The Government Accountability Office (GAO) has issued a new report that says cybersecurity exams of the credit reporting agencies will be conducted by the BCFP, but only if it identifies cybersecurity as a priority.
The report was issued in response to the giant 2017 data breach at Equifax in which more than 145-million data files on U.S. consumers were exposed.
The GAO report, “Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach,” states the Bureau of Consumer Financial Protection and the Federal Trade Commission (FTC) are the two federal agencies that have primary oversight for the credit reporting agencies.
The GAO added its own investigation of the Equifax breach is “ongoing.”
According to GAO, when it comes to the credit reporting agencies the BCFP has mostly been focused on compliance with Fair Credit Reporting Act and, in particular, requirements related to accuracy and resolving consumer disputes.
But even in that area the agency could improve, according to the GAO. GAO said the BCFP has authority to examine for any unfair, deceptive, or abusive acts or practices and to bring enforcement actions against CRAs of all sizes for such acts or practices.
“According to BCFP staff, in some cases, a CRA could commit an unfair, deceptive, or abusive act or practice or violation of other applicable law in connection with its data security practices,” GAO said.
GAO said it has been informed by BCFP that since October 2017 its staff began conducting targeted data security and cybersecurity examinations in response to a large volume of consumer complaints following the Equifax breach. BCFP staff told GAO they use such complaints as one factor to prioritize future supervisory examinations, as well as investigations and enforcement actions.
But whether such exams will continue, BCFP staff told the GAO, will be up to the agency and its priorities.