CFPB Employee Sent Data on 256,000 Consumers to Personal Email

An employee of the Consumer Financial Protection Bureau (CFPB) made unauthorized transfers of confidential data relating to 256,000 consumers to a personal email account, the bureau has revealed. The CFPB found personally identifiable information relating to customers of seven institutions that had been forwarded by a staffer—who is no longer employed at the CFPB. The same staffer also accessed information that included names and transaction-specific account numbers related to about 256,000 consumer accounts at one institution. The CFPB informed the House Committee on Financial Services about the breach in March, informing lawmakers that the breached data contained personally identifiable information (PII) as well as confidential supervisory information (CSI). An investigation of the data breach is ongoing and the CFPB has referred the matter to a federal inspector general, who oversees investigations of the CFPB and the Board of Governors for the Federal Reserve System. “The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information,” a CFPB spokesperson said in a statement. “We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.” The CFPB did not say exactly how many times its former staffer transferred information held by the Bureau to a personal email account. On Tuesday, Rep. Bill Huizenga (R-Mich.) sent a letter (pdf) to CFPB Director Rohit Chopra, alleging the former CFPB employee’s transfer of data took place over the course of 65 emails and contained information on 50 institutions. NTD News reached out to the CFPB for more information about the breach, but the bureau did not respond before this article was published. The CFPB was founded under a provision of the 2010 Dodd–Frank Wall Street Reform and Consumer Protection Act. The bureau, which began operations in 2011, was established to regulate banks and other financial institutions in the wake of the 2008 recession. Republicans Demand Answers In his Tuesday letter, Huizenga called for Chopra to brief the House Financial Oversight Committee about the CFPB data breach by April 25. Sen. Tim Scott (R-S.C.) sent his own letter (pdf) to Chopra on Wednesday, requesting a briefing on the data breach by May 8. Scott, who serves as the ranking member of the Senate Banking, Housing, and Urban Affairs Committee, said the former employee’s emails represent “an egregious lack of oversight by the CFPB. “It is no secret that Director Chopra wants to collect more and more data in order to push out progressive regulations,” Scott added. “Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumer’s financial information?” A spokesperson for Sen. Sherrod Brown (D-Ohio) defended the CFPB from further criticism in a statement to Roll Call. “The CFPB followed protocols by notifying relevant committees of the breach,” Brown’s spokesperson said. “This matter has been referred to the Office of Inspector General. However, the CFPB has taken every step required of the agency, and any wrongdoers must be held accountable for misconduct.” The CFPB has been the subject of controversy since its founding. Several lawsuits have challenged the constitutionality of how the CFPB is organized, and a U.S. appeals court ruled in October that the bureau’s funding model violates the U.S. Constitution’s Appropriations Clause. The CFPB, which exists under the auspices of the executive branch, was designed to be funded through the Federal Reserve, as opposed to the periodic congressional appropriations that fund other government agencies. In 2017, the CFPB also became the subject of a legal battle over who has the authority to lead the bureau. At the time, then-President Donald Trump had planned to appoint Mick Mulvaney to lead the CFPB as his administration sought to roll back some of the bureau’s regulatory powers. When he stepped down as head of the CFPB on Nov. 24, 2017, Obama-appointee Richard Cordray named Leandra English as his successor to serve as acting director of the bureau. Cordray sought to position English as the temporary head of the CFPB under a succession provision of the Dodd-Frank Act. On Nov. 28, 2017, U.S. District Judge Timothy J. Kelly, a Trump appointee, ruled that Mulvaney could begin leading the agency. Reuters contributed to this article.