On May 15, 2017, the Federal Reserve Office of Inspector General – which also oversees the CFPB – released a report finding deficiencies in the CFPB Office of Enforcement’s (Enforcement) processes for securing sensitive information. The evaluation, conducted between February 2016 and July 2016, reviewed Enforcement’s processes for protecting the information it collects from the entities subject to its investigations and litigation activities related to potential violations of federal consumer financial laws, referred to as confidential investigative information (CII).
First, the Report found that access to matters containing CII was not always restricted to employees that required it to perform their assigned duties – during the time period evaluated, the OIG identified 113 individuals with access to matters when they no longer needed it. Although CFPB policy is to require that access to high-sensitivity information, including CII, be restricted to individuals “with a demonstrated business need;” employees were generally allowed broad access to the network drive containing CII. To address these issues, the Report offered five recommendations: (1) formalize in policy that employees should be granted access to Enforcement’s review tools and network drive matter folders only when such access is relevant to their assigned duties; (2) update policies and procedures to specify the process for approving and updating matter folder access rights for Enforcement’s review tools and network drive; (3) expand existing training for employees to reinforce guidance on Enforcement’s interpretation that “demonstrated business need” means relevance to performing assigned duties, and the access approval and updating process for Enforcement’s review tools and network drive; (4) develop and implement a monitoring and testing approach to periodically confirm that Enforcement’s matter folders are appropriately restricted; and (5) coordinate with the Chief Information Officer to ensure that the new cloud environment, which is intended to replace the network drive, includes access approval and monitoring capabilities that meet the current and future needs of Enforcement.
Second, the Report found that Enforcement employees did not consistently follow CFPB guidelines for safeguarding CII, were unaware of certain aspects of the CFPB’s policies, and did not understand how relevant policies applied to their daily work activities. The Report offered three recommendations to address this issue: (1) develop and implement operational procedures specific to Enforcement for handling printed high-sensitivity information, including but not limited to information labeling requirements and the use of cover sheets; (2) establish a strategy to periodically reinforce handling and safeguarding requirements and establish a monitoring approach to test compliance with information handling and safeguarding policies and procedures; and (3) monitor securable, access-controlled storage space, including but not limited to lockable cabinets and offices, to ensure that it meets the needs of all Enforcement employees.
Lastly, the Report found that Enforcement’s lack of a uniform naming convention hindered its ability to monitor and maintain access to matter folders. The Report found that matter folder names were not uniform, with several instances of duplicate matters, and matters were inconsistently identified across different systems. This hindered management’s ability to: (1) locate documents; (2) assign and monitor access to matter folders; and (3) ensure uniform and complete documentation or data for a matter. The Report recommended developing a policy to establish a standard naming convention for matter folders and other relevant Enforcement folders to be used across all Enforcement applications and internal drives.
The Report raises significant – and continuing – concerns regarding Enforcement’s ability to safeguard the information it collects in the course of its investigations. The Report follows the OIG’s September 29, 2016, memorandum, which identified information security as an area of improvement for CFPB management (see our prior blog post). It is also interesting to note that the Report’s review period coincides with Enforcement’s March 2016 consent order with Dwolla, which marked Enforcement’s first – and to date, its only – foray into the data security realm (see our blog post on the consent order). The Report’s findings highlight Enforcement’s continued struggle to satisfy the same internal data security requirements that it expects companies to maintain. Enforcement’s failure to restrict access to sensitive information creates a risk of unauthorized disclosure. Moreover, while the Report notes that former employees do not pose a significant risk due to the fact that they should no longer have access to the CFPB’s network, the fact that their access has not been restricted provides at least some reason for concern that these individuals may be able to misuse this information.