Summary
The growth of information resellers--companies that collect and resell publicly available and private information on individuals--has raised privacy and security concerns about this industry. These companies collectively maintain large amounts of detailed personal information on nearly all American consumers, and some have experienced security breaches in recent years. GAO was asked to examine (1) financial institutions' use of resellers; (2) federal privacy and security laws applicable to resellers; (3) federal regulators' oversight of resellers; and (4) regulators' oversight of financial institution compliance with privacy and data security laws. To address these objectives, GAO analyzed documents and interviewed representatives from 10 information resellers, 14 financial institutions, 11 regulators, industry and consumer groups, and others.
Financial institutions such as banks, credit card companies, securities firms, and insurance companies use personal data obtained from information resellers to help make eligibility determinations, comply with legal requirements, prevent fraud, and market their products. For example, lenders rely on credit reports sold by the three nationwide credit bureaus to help decide whether to offer credit and on what terms. Some companies also use reseller products to comply with PATRIOT Act rules, to investigate fraud, and to identify customers with specific characteristics for marketing purposes. GAO found that the applicability of the primary federal privacy and data security laws--the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA)--to information resellers is limited. FCRA applies to information collected or used to help determine eligibility for such things as credit or insurance, while GLBA only applies to information obtained by or from a GLBA-defined financial institution. Although these laws include data security provisions, consumers could benefit from the expansion of such requirements to all sensitive personal information held by resellers. The Federal Trade Commission (FTC) is the primary federal agency responsible for enforcing information resellers' compliance with FCRA's and GLBA's privacy and security provisions. Since 1972, the agency has initiated formal enforcement actions against more than 20 resellers, including the three nationwide credit bureaus, for violating FCRA. However, FTC does not have civil penalty authority under the privacy and safeguarding provisions of GLBA, which may reduce its ability to enforce that law most effectively against certain violations, such as breaches of mass consumer data. In overseeing compliance with privacy and data security laws, federal banking and securities regulators have issued guidance, conducted examinations, and taken formal and informal enforcement actions. A recent national survey sponsored by the National Association of Insurance Commissioners (NAIC) identified some noncompliance with GLBA by insurance companies, but state regulators have not laid out clear plans with NAIC for following up to ensure these issues are adequately addressed.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Yvonne D. Jones
Government Accountability Office: Financial Markets and Community Investment
No phone on record
Matters for Congressional Consideration
Recommendation: Safeguarding provisions of FCRA and GLBA do not apply to all sensitive personal information held by information resellers. To ensure that such data are protected on a more consistent basis, Congress may wish to consider requiring information resellers to safeguard all sensitive personal information they hold.
Status: In process
Comments: When we determine what steps the Congress has taken, we will provide updated information.
Recommendation: As Congress considers how best to protect data maintained by information resellers, it may wish to consider whether to expand more broadly the class of entities explicitly required to safeguard sensitive personal information.
Status: In process
Comments: When we determine what steps the Congress has taken, we will provide updated information.
Recommendation: If Congress were to choose to expand safeguarding requirements, it may wish to consider providing the implementing agencies with sufficient flexibility to account for the wide range in the size and nature of entities that hold sensitive personal information.
Status: In process
Comments: When we determine what steps the Congress has taken, we will provide updated information.
Recommendation: To ensure that the Federal Trade Commission has the tools it needs to most effectively act against data privacy and security violations, Congress may wish to consider providing the agency with civil penalty authority for its enforcement of the Gramm-Leach-Bliley Act's privacy and safeguarding provisions.
Status: In process
Comments: When we determine what steps the Congress has taken, we will provide updated information.
Recommendations for Executive Action
Recommendation: State insurance regulators, individually and in concert with the National Association of Insurance Commissioners, should take additional measures to ensure appropriate enforcement of insurance companies' compliance with the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. As a first step, state insurance regulators and NAIC should follow up appropriately on deficiencies related to compliance with these provisions that were identified in the recent nationwide survey as part of a broader targeted examination of GLBA privacy and safeguarding requirements.
Agency Affected: National Association of Insurance Commissioners
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
