9 Questions the CFPB Asks to Secure Your Privacy
Is it me, or have things been leakier recently? I’m not just referring to new episodes of Orange Is the New Black or iPhone 8 blueprints, but the seriously scary leaks, such as the nearly 400,000 consumer files hackers stole from telemarketing companies and released to the public earlier this year. And then there’s the seemingly endless outpouring of leaks from the White House—leaks that threaten United States security and jeopardize our nation’s relationships with allies overseas.
Seems like we’re overdue for some good digital plumbing.
For its part, the Consumer Financial Protection Bureau has asserted and reasserted its dedication to safeguarding individuals’ privacy online. From the outset, the CFPB has conducted Privacy Impact Assessments of its various on and offline systems, services, and procedures. Additionally, the Bureau periodically audits its PIA process to “regularly check that [it is] meeting the requirements and take appropriate action if [it is] not doing so.”
What does this all mean for consumers and financial companies? Basically, the CFPB cares about your privacy, and has published stacks of reports about how it keeps your personal identifying information (or, as the acronym-loving CFPB refers to it, “PII”) secure. PII encompasses any data—such as your name, address, or Social Security number—that someone could use to find out who you are or track you.
As of this writing, there are 30 PIAs available to peruse through on consumerfinance.gov. The CFPB has reviewed everything from its directories and databases to its research methodologies to its Civil Penalty Fund in order to ensure your privacy is protected at every step along the way.
Got that? PIAs tell the CFPB how to take better care of your PII. Each PIA poses nine questions:
- What is the purpose of the data collection?
- How open and transparent is the data collection process?
- How does the CFPB ensure it only collects the minimum necessary data?
- What does the CFPB do to limit the use and sharing of the information?
- How does the CFPB ensure the quality and integrity of the data?
- What security measures are in place?
- How can individuals participate in the process (e.g. by correcting or amending their data)?
- How are CFPB personnel trained in the process?
- How does the CFPB keep itself accountable?
Sometimes, the answers to these questions reveal details about complex federal apparatuses; other times, it’s a matter of common sense. The CFPB’s Social Media PIA [pdf], for instance, mentions that, whenever it can, the Bureau chooses not to collect or disseminate consumers’ personally identifying information on social media platforms like Facebook and Twitter, since “social media is inherently public”:
“Information collected through the Bureau’s use of social media is typically collected as aggregate data from third parties or through the Bureau’s own website. We collect direct identifying and aggregate information directly through the platforms and in some instances collect aggregate information through our third-party providers. …
In the rare occasion that CFPB does collect personal information from its social media tools, the primary purpose is to respond to questions or complaints that we receive. When the Bureau receives a question, CFPB will copy and paste the question into an email and send it internally only to the appropriate CFPB point of contact to address. An answer is then provided to the original requester in the third-party channel where the question originated. This collection will include the username of the individual asking the CFPB for information so that the Bureau can respond directly to the requestor through the tool used to solicit information from the Bureau. The username and question copied from the social media site will not be shared outside the Bureau until the response is submitted through the social media tool.”
While the primary purpose of these PIAs is to make the CFPB more transparent to the public, they also provide insight into what the Bureau is looking for in the financial institutions it regulates. Lenders should compare their practices with the CFPB’s: How do you handle personal information collected through social media? Are there any areas of exposure in your relationships with third parties?
At a time when organizations of all kinds are vulnerable to cyberattacks and data breaches, any unsecured database, process, computer, or file can put an entire network at risk. The days of siloed IT departments are long behind us. As international cybersecurity consultant Kevin Paul Murphy wrote in a recent article for American Banker, “[i]t is now more accurate to describe a bank as a technology company.” Your consumers and capital partners are counting on you, so take a cue from the CFPB and practice smart, secure, and transparent data protection.