GAO reviewed the collection and protection of personally identifiable information ("PII") by five federal banking regulators (the CFPB, the FDIC, the Federal Reserve Board, the OCC and the National Credit Union Administration).

In a report to the Ranking member of the Senate Finance Committee, GAO examined (i) what mission-related PII the five federal financial regulators collected, used and shared, and (ii) the extent to which the regulators ensured the privacy of the PII that they collected, used and shared in accordance with federal requirements and guidance.

The scope of the report included (i) the managing of PII, (ii) the use of contractors and third parties, (iii) training, (iv) incident response and (v) risk management framework.

GAO found that the various federal regulators had generally taken steps to protect PII but that there was room for improvement at each of the agencies.

Commentary

Although the report and the recommendations concerned the activities of the government regulators, and not of private parties, institutions that collect PII may find the structure of the report (including the framework set out on pages 6-8) useful for considering how well they protect PII, particularly given the possible penalty for failure to do so. The report is largely based on OMB Circular A-130, which describes "Managing Information as a Strategic Resource," and provides more detailed guidance as to the protection of information.

Primary Sources

  1. GAO Reports and Testimonies: Privacy - Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information
  2. GAO Report to the Ranking Member, Committee on Finance, U.S. Senate: Privacy - Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.