
From the U.S. Government Accountability Office, www.gao.gov

Transcript for: How Federal Financial Regulators Protect Your Personal
Information

Description: Federal financial regulators are increasingly using
individuals' data to detect and prevent crimes like funding terrorism,
as well as to enhance online interactions with consumers. However, as
its use increases, so have concerns about protecting individuals'
privacy. We talk with GAO's Nick Marinos and Alicia Cackley to find out
more.

Related GAO Work: GAO-22-104551, Privacy: Federal Financial Regulators
Should Take Additional Actions to Enhance Their Protection of Personal
Information

Released: January 2022

[Music]

[Nick Marinos:] According to the Office of Management and Budget,
agencies reported more than 2,800 breaches that had potentially affected
more than 10 million individual's personal information. 

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report. Your source for
news and information from the U.S. Government Accountability Office. I'm
your host, Holly Hobbs. Federal financial regulators are increasingly
using individuals' data to detect and prevent crimes, like funding
terrorism, as well as to enhance online interactions with consumers.
This data is often collected by financial institutions like banks.
However, as its use increases, so have concerns about protecting
individuals' privacy. And some federal agencies are not doing all they
can to protect this privacy. Today, we'll talk with two experts who
looked at this issue. Joining us are Nick Marinos, an expert in
cybersecurity and the Managing Director of our Information Technology
and Cybersecurity team; and Alicia Cackley, an expert on consumer
protections and a director in our Financial Markets and Community
Investment team. Thanks for joining us. 

[Nick Marinos:] Thanks a lot, Holly. 

[Alicia Cackley:] My pleasure, Holly. 

[Holly Hobbs:] So, Alicia, we looked at what federal financial
regulators are doing to protect privacy. What did we find? 

[Alicia Cackley:] So many agencies, including the regulatory agencies
that we reviewed, collect a lot of Personally Identifiable
Information--or PII, as we call it--as part of their oversight
responsibilities. And that can pose challenges for protecting
individual's privacy.  And the agencies we looked at, namely the Federal
Deposit Insurance Corporation, the Federal Reserve, the National Credit
Union Administration, the Office of the Comptroller of the Currency, and
the Consumer Financial Protection Bureau, can best ensure that they're
protecting consumer information by following all related federal laws
and guidance. And one of the primary objectives of our review was to
determine the extent to which those financial regulators were following
key practices in federal law and guidance.

[Holly Hobbs:] Ok, so what do we know about these efforts? 

[Alicia Cackley:] So federal laws specify certain requirements that the
agencies have to protect the systems and data, and they establish
responsibilities with regard to protecting personally identifiable
information in particular. Some of that legislation includes the Privacy
Act of 1974, which limits the agency's collection and use of PII and
requires agencies to provide the public with certain information, such
as the intended use of the data, procedures individuals can use to
review and correct information about themselves.  And in addition, the
Privacy Act and other key privacy laws and guidance set out requirements
for agencies to conduct privacy impact assessments, and they detail
agency responsibilities for managing PII. They provide guidance to
agencies in making decisions about individuals' access to PII, to agency
authority and handling PII.  And also the security safeguards in place
to protect PII. 

[Holly Hobbs:] And can you give us some examples of the type of consumer
information that's collected, and how it might be used?

[Alicia Cackley:] Sure. So commonly used types include things like
people's names and addresses, as well as their Social Security numbers
and information related to the individual financial transactions that
they may have conducted. And all five of the regulators use this PII in
their roles overseeing and conducting supervisory examinations of
financial institutions, which commonly focus on ensuring the safety and
soundness of the institution. But it can also include a consumer
compliance component, such as examining the use of credit cards and home
mortgage lending data to ensure compliance with financial laws.  And all
five regulators also use PII to conduct enforcement activities over
financial institutions. For example, using and storing sensitive PII
obtained as part of investigations and in handling complaints or
inquiries regarding consumer financial products or services. And some
regulators use PII as part of approving financial institutions to
operate and to facilitate a fair resolution when an institution fails. 

[Holly Hobbs:] So, Nick, let's talk about the cybersecurity aspects of
this. How are federal regulators ensuring that this data is safe from
things like data breaches? 

[Nick Marinos:] Yeah, well, these five regulators have already created
privacy programs to manage those risks. So, among other things, these
programs include activities like assessing the impacts on privacy of
changes made to an IT system, or the way with which that PII might be
used, imposing conditions on external parties that they may be sharing
or relying on to handle some of this personal information, as well as
overseeing contractors that might have access to this information. And
very importantly, also, the regulators have developed and implemented
privacy awareness and training programs so that their employees and
contractors understand the expectations that are set for them on how
they handle the personal information as well.  Now, in terms of
responding to incidents such as data breaches, all five regulators have
established formal incident response capabilities and they test those
procedures that they've put together to ensure that they're working
properly. They have plans not only for those basic steps, but also the
timelines for notifying potentially affected individuals.  In other
words, if PII were to be impacted or compromised as a result of the
breach, how quickly would they turn around and notify individuals whose
PII might have been compromised. 

[Holly Hobbs:] So how likely are data breaches, and why might hackers
want this data?

[Nick Marinos] Yeah, I mean, the trend is not great, Holly. In the last
several years, data breaches of federal agencies and at big
organizations in the private sector have resulted in the potential
compromise of millions of records of Americans, including financial
related information. According to the Office of Management and Budget,
agencies reported more than 2,800 breaches to Congress in fiscal year
2020 that had potentially affected more than 10 million individuals'
personal information. And more than 19,000 breaches were reported within
agencies that year. These totals don't include the several prominent
recent breaches, such as the Equifax breach about 5 years ago that
impacted an estimated 146 million consumers. The reality is that a data
breach can occur under many circumstances and for many reasons. Among
other things malicious attackers want to use that personal data that
they may be able to steal to create or maintain fraudulent accounts, to
obtain inappropriate benefits or to perform identity theft. 

{MUSIC}

[Holly Hobbs:] So Alicia and Nick just told us that while data collected
by financial institutions like banks can be used by financial regulators
to protect American consumers, it can also put them at risk if there are
data breaches or cyberattacks. So, Nick, did we make any recommendations
to federal regulators to better protect this data? 

[Nick Marinos:] We did, but I think it's important to note that CFPB and
the four prudential regulators, they're taking a lot of steps already to
protect personal information in line with federal guidance. That said,
we did find some areas that could be further improved and we made eight
recommendations where we felt one or more of these regulators needed to
improve their privacy practices. And this included recommendations
around encouraging agencies to maintain full inventories of the personal
information and their agency-owned applications, identifying metrics to
monitor how effective their privacy controls are working, and to more
fully track decisions that officials make based on sort of selecting and
testing those privacy protections as well.

[Holly Hobbs:] And last question, Nick how about you take it. What's the
bottom line of this report? 

[Nick Marinos:] Well, I think the bottom line is that the five
regulators we looked at have more than 100 information system
applications that collect and use extensive amounts of personal
information. And they share that personal information with financial
institutions, contractors, other regulators as part of fulfilling of
their missions. Generally, the regulators have set up privacy programs
that do a pretty good job at protecting this PII. But there are several
areas where we think they can improve the privacy protections in line
with federal guidance. Until the regulators take those steps to mitigate
weaknesses, we found they could be at increased risk of compromise. 

[Holly Hobbs:] That was Alicia Cackley and Nick Marinos talking about
GAO's recent review of data privacy. Thank you both for your time. 

[Alicia Cackley:] Thank you, Holly. 

[Nick Marinos:] My pleasure, Holly

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify or
wherever you listen and make sure to leave a rating and review to let
others know about the work we're doing.  For more from the congressional
watchdog, the U.S. Government Accountability Office, visit us at
GAO.gov.