The data breach exposed information from at least 250,000 consumers’ accounts, plus confidential supervisory information on 45 to 50 banks.
04/20/2023 12:40 P.M.
4 minute read
A data breach caused by a former Consumer Financial Protection Bureau employee forwarding sensitive financial and supervisory information on consumers and banks to their own email account has members of Congress demanding answers from the bureau about its investigation into the incident.
According to multiple media reports, the employee, who was fired from the CFPB when the data breach was reported, made an unauthorized transfer of CFPB records containing personal information on 256,000 consumers and confidential supervisory information on at least 45 financial institutions.
Politico reports that the consumer information was in spreadsheets containing names and “transaction-specific account numbers” for one financial institution.
Lawmakers, including members of the House Financial Services Committee, were alerted in a March 21 email from CFPB staff that they learned of the data breach on Feb. 14, according to Politico.
“If these facts prove to be true, the effects could be widespread and injurious,” said U.S. Rep. Bill Huizenga, R-Mich., chair of the House Subcommittee on Oversight and Investigations, in his letter (PDF) to the CFPB requesting more information on the data breach.
Huizenga requested a briefing from the CFPB to House Financial Services Committee staff by April 25, 2023, “to better understand the mitigation and remediation efforts, the scale of the breach, as well as efforts made to give the appropriate notifications.”
U.S. Rep. Patrick McHenry, R-N.C., chair of the House Financial Services Committee, said in a statement reported by Politico, “This breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information. Republicans will ensure any bad actors are held accountable.”
In the Senate, U.S. Sen. Tim Scott, R-S.C., the ranking member of the Senate Banking Committee, weighed in and asked CFPB Director Rohit Chopra for more information on the data breach and the bureau’s regulation of data collection.
“Since your agency became aware of the data breach, the CFPB has finalized an additional rule involving the vast collection of small business lending data on credit products, including term loans, lines of credit, credit cards, merchant cash advances, and even personally identifiable information like race, ethnicity, and sex,” Scott said in a letter to Chopra (PDF). “This is highly concerning given that the CFPB has provided limited insight to Congress into the CFPB’s data management practices and efforts to ensure the privacy of consumer and small business data.”
Scott requested specific details on the data breach, the content of the data, the CFPB’s remediation steps as well as its data privacy practices and potential changes that will be made in response to this incident, by May 8, 2023.
In a statement to Politico, CFPB spokesperson Sam Gilford said the data breach was referred to the inspector general.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” Gilford said, according to the article. “All CFPB employees are trained in their obligations under bureau regulations and [f]ederal law to safeguard confidential or personal information.”
CFPB Small Business Lending Data Collection Rule
Earlier this month, the bureau released a final rule required by Congress “to increase transparency in small-business lending, promote economic development, and combat unlawful discrimination,” ACA International previously reported.
Under the rule, “lenders will collect and report information about the small business credit applications they receive, including geographic and demographic data, lending decisions, and the price of credit. The rule will work in concert with the Community Reinvestment Act, which requires certain financial institutions to meet the needs of the communities they serve. The increased transparency will benefit small businesses, family farms, financial institutions, and the broader economy.”
The final rule also prompted a response from Rep. McHenry about the bureau’s regulatory processes—a key issue for the congressman.
“The Consumer Financial Protection Bureau’s disastrous small business lending data collection rule is another front in the Biden Administration’s assault on small businesses,” McHenry said in a statement on the rule. “By imposing overly burdensome reporting requirements on smaller lenders, Director Chopra is jeopardizing the privacy and security of small business owners’ personal and financial data. Yet again, the CFPB under Rohit Chopra is limiting access to credit for small businesses still struggling under the weight of Democrat-induced inflation. To hold the CFPB accountable for its harmful rulemaking, the House Financial Services Committee will explore all options—including the Congressional Review Act—to ensure it does not take effect.”
Advocate with ACA
The CFPB’s regulatory process is one of the critical issues you’ll hear about by attending ACA’s annual Washington Insights Fly-In May 15-17, 2023.
Activity in Washington, D.C., stands to have a major impact on our ability to operate, provide employment, and assist lenders provide access to credit at reasonable costs. We are excited to get members back into the Capitol to advocate for our industry’s latest pressing issues.
For more information on the annual advocacy event, visit the Washington Insights Fly-In website.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.
