The Consumer Financial Protection Bureau’s Office of Enforcement failed to properly secure sensitive, confidential information, leaving the data available to both employees that no longer needed access to the data and former employees who left the bureau, a watchdog report found.
The new report, released this week by the Board of Governors of the Federal Reserve System Office of the Inspector General for the Consumer Financial Protection Bureau (and first reported by Law360), showed that the CFPB’s Office of Enforcement did not put proper protocols in place to secure confidential investigative information and confidential supervisory information.
“The Office of Enforcement did not timely restrict access to confidential information for reassigned or transferred personnel,” the OIG’s office found. “In addition, the office’s labeling and storage standards were inconsistently followed and its naming conventions for investigative files were inconsistent, which could increase the risk of unauthorized disclosures.”
A note of caution on the findings of the report is necessary, as the OIG states that its investigation found that the CFPB’s Office of Enforcement did not have effective controls to manage and safeguard access to its confidential investigative information, but adds that it did not review whether any unauthorized disclosures of sensitive information occurred or not.
So, at this time, it’s unknown where any inappropriate disclosures took place, but the conditions for such a disclosure were apparently present, according to the OIG’s report.
The OIG’s report, which can be read in full here, found that that 113 unique users had access to at least one electronic application within the Office of Enforcement after it was no longer necessary to their specific job duties.
In some cases, former employees who left the bureau would have been able to access sensitive information, but the OIG report cautions that “these situations present limited risk to the agency because individuals who have left the CFPB should not have access to CFPB systems.”
According to the OIG report, these users continued to have access “largely because of the Office of Enforcement’s challenges with updating access rights.”
But according to the report, after the OIG’s investigation identified the access issues, the CFPB took steps to review its levels of access and remedy the issues called out by the OIG.
Outside of the technological issues, the OIG’s investigation found that the Office of Enforcement didn’t take additional antiquated steps to prevent improper access to confidential information – such as using cover sheets and locking employees’ office doors.
“We found that Office of Enforcement employees do not consistently follow agency expectations for safeguarding printed sensitive information,” the OIG’s report showed.
Specifically, the report found that Office of Enforcement employees do not always label information according to the CFPB’s established sensitivity levels, do not routinely use cover sheets for sensitive information, and do not always store sensitive information in locked locations.
The OIG states that the “inconsistent safeguarding of printed sensitive information” is due to a “lack of awareness” among Office of Enforcement employees about the CFPB’s guidelines for handling sensitive information, as well as a lack of office-specific procedural guidance.
“As a result, Office of Enforcement employees use inconsistent practices for handling and safeguarding sensitive information, increasing the risk of inadvertent and unauthorized disclosures,” the OIG report stated.
The report showed that at the CFPB’s headquarters, a standard cover sheet is automatically printed at the beginning of every printed document, regardless of the document’s content and sensitivity level.
But the OIG found that Office of Enforcement attorneys and paralegals do not label documents in accordance with CFPB’ guidelines. Rather, they often label documents according to the stipulations of the litigation agreements, including labeling documents: confidential, sensitive, confidential investigative information, confidential supervisory information, deliberative, and privileged.
But in one of the CFPB’s regional offices (the location is not identified), not only are cover sheets are not automatically printed, none of the attorneys and paralegals the OIG’s personnel spoke with at that office currently use cover sheets for sensitive materials.
According to the OIG, these issues are caused by a “lack of awareness” of the CFPB’s policies for handling information.
“In the absence of specific Office of Enforcement procedures, attorneys and paralegals have developed their own informal practices for handling and safeguarding sensitive information, which has led to inconsistent practices across the Office of Enforcement,” the OIG report stated.
The OIG’s investigation also found that although the Office of Enforcement’s office space is “guarded and access to it is controlled,” the OIG learned during its interviews that many Office of Enforcement attorneys did not have office doors or cabinets in their offices that can be locked.
“As a result, attorneys sometimes leave sensitive information in unsecured places, such as on bookshelves and desktops or in non-locking cabinets, despite their awareness that sensitive information should be stored in a secure, access-controlled location,” the OIG’s report stated.
The OIG report states that after identifying the security issues, the CFPB began properly securing the offices and cabinets in question.
The CFPB also notes in its response that the Office of Enforcement subsequently developed standard language for all cover sheets to reflect the sensitive nature of the printed information.
The office also developed mandatory training on information handling and safeguarding requirements as well as a monitoring approach to test compliance with information handling and safeguarding policies and procedures, the CFPB said.
When asked for a response to the OIG’s report, a CFPB spokesperson referred HousingWire to the CFPB’s response included in the OIG’s report.
In its response in the OIG report, the CFPB said that it appreciated the OIG recommendations, but noted that no breaches of confidential information occurred.
“Nonetheless, the Bureau appreciates the hard work of the Office of the Inspector General and believes their recommendations will further strengthen the Office of Enforcement’s robust information controls,” the CFPB’s associate director of the division of supervision, enforcement, and fair lending, Christopher D’Angelo, said in the CFPB’s response.
“The Bureau agrees with each of the recommendations, has already implemented some of these recommendations, and will take steps to implement the remainder,” D’Angelo added.