GAO recommends FTC civil penalties for CRAs
Incidents don’t just lead to investigations. They sometimes result in new regulatory oversight. That’s the case with the Equifax data breach two years ago. If you’ll recall, Equifax, a consumer reporting agency (CRA), exposed the sensitive personal information of 143 million Americans.
The Government Accountability Office (GAO) took notice. GAO is the legislative branch government agency that provides auditing, evaluation and investigative services for the United States Congress. The agency is often called the congressional watchdog and has a reputation for creating change through its recommendations.
GAO published a March 2019 report, “Action Needed to Strengthen Oversight of Consumer Reporting Agencies” in which the agency recommended that Congress consider providing the FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Biley Act (GLBA). The added power would help ensure that the FTC has the tools it needs to act against data privacy and security violations effectively.
As the agency noted in its report, consumers can take actions to mitigate the risk of identity theft—such as implementing a fraud alert or credit freeze—and can file a complaint with the Federal Trade Commission (FTC) or the Consumer Financial Protection Bureau (CFPB). However, consumers are limited in the direct actions they can take against CRAs (like Equifax) in the event of a data breach.
Regardless if the FTC accepts GAO’s recommendation, it’s a warning for CRAs to implement best practices for preventing data breaches. For all other organizations, it’s more proof that data containing personally identifiable information (PII) should get the white-glove treatment.
Here are three takeaways from GAO’s recommendation:
Consider your compliance risk
The FTC handing out hefty civil penalties to consumer reporting agencies sets the precedent that civil penalties for data breaches could apply to other industries. Any regulatory body could cite the FTC civil penalty as justification for their proposed penalties.
It warrants the attention of your Chief Compliance Officer (CCO). Are they aware of this compliance risk? Deloitte recommends that CFOs work with their CCOs to understand the full spectrum of compliance risks lurking in each part of the organization. Here’s one question that needs answering. What’s the fallout from FTC civil penalties and lessons for your organization?
Privacy is in the regulatory spotlight
A data breach often leads to a loss of identity. In the example of the Equifax data breach, 143 million people experienced a loss of PII, which includes names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers. The Equifax data breach, while vast and profound, wasn’t an aberration. Google, Facebook Yahoo, Marriott and Target have all testified before Congress and no doubt contributed to GAO’s thinking.
To prevent data breaches and protect data and privacy, organizations must take privacy seriously as new regulations are right around the corner. Next January, the California Consumer Privacy Act (CCPA) will take effect to protect the privacy of Californians. Eleven other states are right behind California in passing data privacy laws. Around the world, it’s a similar story with privacy laws enacted, amended, or being drafting in countries on every continent.
If you need privacy regulations as an incentive to invest in a privacy program, they’re coming. Pay close attention to breach notification rules and fines for noncompliance. It doesn’t have to rise to an FTC civil penalty to hurt the bottom line and damage customer relationships.
Not your ordinary compliance
Privacy regulation compliance isn’t something you can hand off to the compliance department and forget about it. Meeting requirements involves the entire organization. You need well-documented processes for managing data throughout its journey inside the company and with third-party providers.
Another twist to privacy compliance is delivering on data owner requests. Regulations like the General Data Protection Regulation (GDPR) and CCPA grant individual rights to consumers. It’s not checkbox compliance. It’s a systematic process of meeting requirements and continually adapting to best practices for protecting data and complying with any changes.
Compliance provides a level of protection from data breaches, but breaches still occur. That’s why we’re a little surprised that lawmakers didn’t address business continuity management in their privacy regulations. Just about any data breach would slow operations while assessing and containing the situation. You can bet that the Equifax data breach impacted operations.
GAO’s recommendation to provide the FTC with civil penalty authority over consumer reporting agencies is another example of the world adapting to privacy. Organizations must evolve, and sure signs are everywhere. It’s in government agency actions and businesses ramping up their privacy compliance programs. It’s also in what you know now. Data management must change permanently, and there are risks outside of compliance that require management.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.
Learn about Principled Performance: Why should your company pursue it?