CFPB Acting Director Mick Mulvaney reportedly announced on Thursday that he was lifting the freeze on the CFPB’s collection of personally identifiable information (PII) from companies it supervises. As we previously reported in December 2017, Mr. Mulvaney imposed a freeze on the CFPB’s collection of PII due to concerns about the CFPB’s data security systems.
The freeze was reportedly lifted through a memo to the staff of the CFPB, in which Mr. Mulvaney stated that “Out of an abundance of caution and a desire to protect Americans’ privacy, I placed a hold on the collection of personally identifiable information and other sensitive data.” However, “after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift th[e] hold.” The independent review concluded that “externally facing Bureau systems appear to be well-secured.”
The freeze had significantly impacted the CFPB’s supervisory program, prior to which companies being examined were able to submit information, including PII, to CFPB examiners by uploading it to the CFPB’s Extranet. During the freeze, the CFPB halted use of the Extranet, and examination teams resorted to burdensome workarounds, such as requiring examination responses to be printed onto paper that could be shredded at the conclusion of the exam. Notably, the freeze did not extend to the CFPB’s enforcement division, which continued to collect PII in connection with enforcement actions.