The Government Has Your Data at Its Fingertips

As news broke about the Internal Revenue Service’s accidental disclosure of thousands of social security numbers online, a representative of the Consumer Financial Protection Bureau testified before a subcommittee of the House Financial Services Committee about the CFPB’s use of Americans’ personal financial data. He reassured Congress that the CFPB “makes every effort to obtain market data in an efficient manner with an eye toward reducing the burden and cost on industry. The bureau also makes every effort to safeguard and protect the information that it does obtain.” 

In another ironic twist, on the very same day, I happened to receive a letter that makes such assurances sound a bit less comforting.

The letter is from the Securities and Exchange Commission—my former employer—warning me that my personally identifiable information, along with that of some other SEC employees, has potentially been compromised. The letter reveals that my data was discovered on the computer network of another government agency and went on to explain:
 
“[T]he origin of the data was an upload from an employee’s thumb drive … the employee formerly worked at the SEC and, upon departure from the SEC, inadvertently and unknowingly downloaded the SEC personnel data to the thumb drive. The employee had thought he was downloading templates to help him in his future work for the Government.”
 
Once he arrived at the new agency, he uploaded the files to its network. The employee’s desire to take what he could from the SEC and apply it to his new government job is commendable—and, although his plan was ill-conceived, the mistake he made may be understandable. But that is exactly the problem. The government can earnestly promise that it will protect your data, but—staffed as it is with humans, some of whom are diligent but careless and others of whom are ill-intentioned—it cannot honor that promise.

In light of that reality, the CFPB’s data collection efforts are troubling, despite its efforts to mollify Congress at the recent hearing. The CFPB is compiling a database of loan-level data, but the agency maintains it will take steps to ensure the data cannot be tied to a particular borrower by name. 

The CFPB also has 4 percent of consumers’ credit records going back 10 years, yet this information is purportedly not linked to a named individual. Moreover, the CFPB seems to think that the fact that other regulators have been collecting similar data should be reassuring. The CFPB collects very detailed information about customers, such as credit card account information, directly from the firms it regulates. But once again, the public is not to worry; according to the bureau’s testimony, “it does not analyze data that includes personal identifiers.”
 
The fact is, the CFPB does have some personally identifiable data and—using a little bit of elbow grease or the computer wizardry of its Generation Y workforce—can probably tie a named consumer to the allegedly unidentifiable data it has. This task will be made easier if, as the U.S. Chamber of Commerce suggests, the CFPB is executing a plan to require banks to catalogue the consumer data they provide to the bureau according to individual identifiers. 

But no worries, as the CFPB told Congress, it “stores and protects personally identifiable information, along with other confidential information and data, according to information security requirements that comply with applicable Federal laws and regulations.”

So does the SEC. And so did the Department of Veterans Affairs in 2006, when one of its employee’s lost—in a home burglary—electronic data containing sensitive personal information on 26 million of our nation’s veterans.
 
Underlying all of the CFPB’s attempts to allay concerns about its collection and retention of information about Americans’ financial transactions is an insistence that the bureau is motivated by one thing and one thing only—the welfare of the American consumer. Likewise, the former SEC employee with the thumb drive unwittingly full of personally identifiable information was just trying to excel at his new job, and the Veterans Affairs employee was just trying to get ahead by working at home.
 
The government, like any other human organization, will inevitably be subject to data breaches. That is why we ought to be awfully sure that regulators really need data before we start handing it over to them.