Mulvaney’s Attempted Sabotage Fails, CFPB Data Collection Will Continue (Hack Free)
Despite Hiring Hackers, Mulvaney Comes Up Short in Attack on Data Collection Essential to Enforcing Consumer Protection Laws
WASHINGTON, D.C. – Today, in an email to Consumer Financial Protection Bureau (CFPB) staff, “Acting Director” Mick Mulvaney wrote that “after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift that hold. The independent review concluded that “externally facing Bureau systems appear to be well-secured.” Last December, Mulvaney froze the CFPB’s data collection efforts which many saw as an attack on the bureau’s ability to enforce laws protecting consumers from financial bad actors.
Last month, during a Senate Banking Committee hearing, Mulvaney doubled down in his attack on CFPB data collection when he failed to challenge a Senator’s insinuation that the bureau’s efforts had potentially been breached, instead telling the lawmaker he had to be “careful” about what he said and that he would “be more than happy” to speak about it privately.
“The CFPB’s data collection efforts have been Mick Mulvaney’s chopping block from the very beginning because he knows shutting this important work down would grind the bureau’s enforcement of consumer protection laws to a halt. That’s something the Wall Street special interests that showered him with $1.2 million in campaign cash would love to see,” said Karl Frisch, executive director of Allied Progress, a consumer advocacy organization.
He continued, “In his zealous pursuit to end CFPB data collection and hurt the bureau’s ability to enforce consumer protection laws, Mulvaney even hired a hacker to try and compromise bureau security. All he had to do was read the Inspector General’s report and he would have known the bureau takes these issues quite seriously. But this was never about protecting data for Mulvaney. This was about protecting Wall Street.”
What You Need To Know
- BACK THEN… Mulvaney failed to challenge a Senator’s insinuation that CFPB data collection efforts had potentially been breached. In an open U.S. Senate Banking Committee hearing, Mulvaney was asked point blank if he was aware of any data breaches having occurred at the CFPB. Mulvaney did not directly answer the question, telling a U.S. Senator he had to be “careful” about what he said and that he would “be more than happy” to speak about it privately. [The Consumer Financial Protection Bureau’s Semi-Annual Report to Congress, United States Senate Banking, Housing, and Urban Affairs Committee, 04/12/18; The Consumer Financial Protection Bureau’s Semi-Annual Report to Congress, United States Senate Banking, Housing, and Urban Affairs Committee, 04/12/18]
- BUT NOW… Mulvaney sent staff email admitting CFPB data collection systems are “‘well-secured'” after he hired a hacker to test the systems. On May 31, 2018, Mick Mulvaney sent an email to CFPB employees that an “‘exhaustive review'” had concluded that the CFPB “‘externally facing'” systems were “‘well-secured.'” Mulvaney’s email stated that he had frozen data collection out of “an abundance of caution” and that, since the review revealed that the systems were sound, CFPB employees would resume their data collection efforts. [Mick Mulvaney email to CFPB All Hands, Consumer Financial Protection Bureau, 05/31/18]
The CFPB has always taken data collection security seriously and Mulvaney’s freeze was really an attack on the bureau’s ability to enforce consumer protection laws.
- Inspector General Report Shows CFPB Takes Data Collection Security and Privacy Issues Seriously. The Office of the Inspector General for the CFPB issued a report that showed that the CFPB has “implemented” a program that addresses “privacy requirements and security risks” associated with handling private data. The report noted that the CFPB has “documented privacy policies and procedures covering a wide range of topics.” [Manatt, Phelps & Phillips, LLP, “OIG Audit Addresses Data Security Concerns at the CFPB,” JD Supra, 03/02/18]
- Mulvaney’s Freezing of CFPB Data Collection Was Seen as an Attack on Bureau’s Enforcement Capabilities. When Mick Mulvaney halted the CFPB’s “collection of all personally identifiable information […] The move raised concerns that the bureau’s enforcement actions would be stalled.” Mulvaney wanted to freeze collection until “the CFPB improve[d] its data security systems.” [Kate Berry, “CFPB’s Mulvaney to Warren: Breaches justified data-collection halt,” American Banker, 01/19/18; James Kin and Bowen Ranney, “CFPB data collection freeze impacting CFPB examinations,” Ballard Spahr LLP, 12/15/17]
- Mulvaney’s CFPB Data Collection Freeze Hampered Efforts to Monitor Compliance of Financial Institutions. The move to freeze data collection caused confusion among enforcement staff and “hamper[ed]…efforts to monitor financial firms for compliance with consumer protection rules.” [Jessica Eisinger, “The Consumer Financial Protection Bureau’s declaration of dependence,” ProPublica, 02/15/18]
- CFPB Data Collection Helps Identify Wrong-doing by Financial Institutions. One CFPB attorney described the move as “‘freezing enforcement.’” The CFPB relies on personally identifiable information to determine whether financial institutions, like Wells Fargo, are “taking advantage” of customers. [Jessica Eisinger, “The Consumer Financial Protection Bureau’s declaration of dependence,” ProPublica, 02/15/18]
- CFPB Data Collection Helps Identify Discriminatory Lending Practices. The CFPB has used consumer data to “help the agency identify discrimination and other industry misconduct, and can serve as a basis for writing rules.” [Yuka Hayashi, “New CFPB Chief Curbs Data Collection, Citing Cybersecurity Worries,” The Wall Street Journal, 12/04/17]
# # #