Facebook’s data collection practices have been splashed across headlines in recent weeks, and for good reason. Americans are coming to understand that the trust they’ve placed in social networking websites has been misplaced. Their data has not just been used to create a more personally-tailored experience, it’s been monetized and sold repeatedly without their knowledge or express permission.
And yet the same week as Facebook’s Mark Zuckerberg was being grilled on Capitol Hill, another—and potentially much more significant—privacy scandal playing out in the halls of Congress was largely going overlooked. In recent testimony to Congress, Consumer Financial Protection Bureau (CFPB) chief Mick Mulvaney disclosed that he has been able to “document about 240 lapses in our data security.”
When pressed, Mulvaney said there indications that there are many more suspected breaches.
“I think data got out that should not have gotten out,” Mulvaney said. “There’s another 800 that we suspect that we haven’t been able to confirm.”
To be clear, none of this is Mulvaney’s fault. If anything, he’s worked diligently to reduce the risk of American’s financial data falling into the wrong hands. In December he placed a freeze on CFPB’s collection of all personally identifiable information until the agency improved its data security systems.
But boy did he inherit a mess.
The Obama-era CFPB, created under the Dodd-Frank bill, was brash in its desire to collect American’s data. The bureau’s strategic plan openly stated that they sought to monitor four out of every five U.S. consumer credit card transactions and 95 percent of all mortgage transactions, through its data mining programs. The agency also openly attempted to procure a vendor to do data analysis on credit card data, the scope of which adds some frightening clarity to the type of information they were after.
“Loan level data is the critical enabler in the CFPB’s efforts to understand and analyze consumer behavior and the credit card marketplace,” the solicitation states. Among the “[a]ccount level fields” listed in the solicitation are type of card, card balance, accountholder’s other relationships with the issuing bank, and the accountholder’s income, FICO score and payment history.
The agency’s efforts to collect data have grown over the years, vacuuming up sensitive information around automobile, business and student loans. The most recent count shows 12 consumer data-mining programs running simultaneously.
Just as troubling is that the agency moved forward with collecting this data despite knowing that they were doing a poor job of protecting it.
A 2014 GAO found that “additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data.” A year later little had been done. The GAO found that “additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data.”
“CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data,” the GAO report says.
Is it any wonder that a mere 15 percent of Millennials trust the government according the latest polling by Pew Research? Obviously, there are a lot of factors that go into that historic mistrust, but the hubris that has been displayed by the CFPB is a perfect example of government run amok. They gathered tons of data without our knowledge, they didn’t care enough to take the necessary steps to protect it, and they sanctimoniously referred to answer Congress’ calls for action.
Fortunately, the Trump Administration is working to put the CFPB back in its place. Stopping the collection of personally identifiable information and bringing some much needed transparency to the bureau’s data collection programs are great first steps. Both of those steps should give Congress the time and information it needs to fundamentally reform this rogue bureau.