December 8, 2019

December 06, 2019

Subscribe to Latest Legal News and Analysis

December 05, 2019

Subscribe to Latest Legal News and Analysis

CFPB Resumes Collection of Personally Identifiable Information for Examinations

CFPB Acting Director Mick Mulvaney reportedly announced on Thursday that he was lifting the freeze on the CFPB’s collection of personally identifiable information (PII) from companies it supervises. As we previously reported in December 2017, Mr. Mulvaney imposed a freeze on the CFPB’s collection of PII due to concerns about the CFPB’s data security systems.

The freeze was reportedly lifted through a memo to the staff of the CFPB, in which Mr. Mulvaney stated that “Out of an abundance of caution and a desire to protect Americans’ privacy, I placed a hold on the collection of personally identifiable information and other sensitive data.” However, “after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift th[e] hold.” The independent review concluded that “externally facing Bureau systems appear to be well-secured.”

The freeze had significantly impacted the CFPB’s supervisory program, prior to which companies being examined were able to submit information, including PII, to CFPB examiners by uploading it to the CFPB’s Extranet. During the freeze, the CFPB halted use of the Extranet, and examination teams resorted to burdensome workarounds, such as requiring examination responses to be printed onto paper that could be shredded at the conclusion of the exam. Notably, the freeze did not extend to the CFPB’s enforcement division, which continued to collect PII in connection with enforcement actions.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Roshni Patel, Attorney, Privacy, Data Security, Ballard Spahr Law Firm, Washington DC
Associate

Roshni Patel advises clients on privacy and data security matters. She helps companies maintain compliance with federal and state laws and regulations, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and California’s Online Privacy Protection Act. She also counsels companies on industry standards, such as the Payment Card Industry Data Security Standards (PCI-DSS), and evolving Federal Trade Commission and Consumer Financial Protection Bureau standards related to privacy and data security. Ms. Patel routinely drafts privacy...

202-661-7686