Rhetoric vs. Reality: CFPB Nominee Kraninger’s Data Security Record Should Worry Consumers
According to her written testimony, Kathy Kraninger will tell the Senate Banking Committee this morning that protecting “sensitive” consumer data will be one of her top priorities if she’s confirmed. Sadly, the rhetoric of President Trump’s nominee for Director of the Consumer Financial Protection Bureau (CFPB) doesn’t match the reality of her record. As the following research makes clear, Kraninger has a troubling history when it comes to information security.
RHETORIC: Kathy Kraninger Says Protecting Consumer Data is a Priority
- In her written testimony, Kathy Kraninger said, “the Bureau must recognize its profound duty to the American people to protect sensitive information in its possession. Under my leadership, the Bureau would limit data collection to what is needed and required under law and ensure that data is protected. This issue clearly needs more attention, particularly because many consumers are unaware of the vulnerabilities or unsure of what actions to take to protect themselves.” [“Testimony of Kathy Kraninger,” Hearing of the Senate Banking Committee, 07/19/18]
REALITY: Kathy Kraninger Has a Troubling History When It Comes to Information Security
- While at DHS Kathy Kraninger advocated for biometric data collection practices for foreign nationals that the GAO criticized for “significant information security control weaknesses.” While at DHS, Kathy Kraninger advocated for the use of biometric data from foreign nationals entering the United States. She said that US-VISIT biometrics collection “provides a significant layer of security.” However, the Department of Homeland Security’s widespread adoption of biometric data has been deeply controversial. It has been called “the most elaborate system of identification in the United States” by privacy advocates and criticized for “significant information security control weaknesses” by the Government Accountability Office. [Testimony of Kathleen Kraninger, “The Progress and Pitfalls of the Terrorist Watchlist,” Hearing of the House Committee on Homeland Security, 11/08/07; “United States Visitor and Immigrant Status Indicator Technology (US-Visit),” Electronic Privacy Information Center, accessed 06/28/18; Stephanie Condon, “DHS wants green card holders’ fingerprints,” CNET, 12/18/08; “Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program,” United States Government Accountability Office, July 2007 and Paul Willis, “Fully biometric airports becoming a reality,” CNN, 08/11/09]
- Also at DHS Kathy Kraninger pushed for federal and state issuers to adopt RFID chips in identification cards and documents, despite being aware of the vulnerabilities they created. It was known at the time that the chips could be read at a distance. As a defense against hackers, Kraninger thought it was sufficient to offer protective sleeves and codes. [Prepared Statement and Testimony of Kathleen Kraninger, “Technology for Secure Identity Documents,” Hearing of the House Committee on Oversight and Government Reform Subcommittee on Government Management, Organization, and Procurement, 10/18/07]
REALITY: The CFPB has generally been found to have good data security mechanisms
- An Inspector General Report Showed the CFPB Takes Data Collection Security and Privacy Issues Seriously. The Office of the Inspector General for the CFPB issued a report that showed that the CFPB has “implemented” a program that addresses “privacy requirements and security risks” associated with handling private data. The report noted that the CFPB has “documented privacy policies and procedures covering a wide range of topics.” [Manatt, Phelps & Phillips, LLP, “OIG Audit Addresses Data Security Concerns at the CFPB,” JD Supra, 03/02/18]
- Mulvaney even sent CFPB staff an email admitting CFPB data collection systems were “‘well-secured’” after he hired a hacker to test the systems. On May 31, 2018, Mick Mulvaney sent an email to CFPB employees that an “‘exhaustive review’” had concluded that the CFPB “‘externally facing’” systems were “‘well-secured.’” Mulvaney’s email stated that he had frozen data collection out of “an abundance of caution” and that, since the review revealed that the systems were sound, CFPB employees would resume their data collection efforts. [Mick Mulvaney email to CFPB All Hands, Consumer Financial Protection Bureau, 05/31/18]
REALITY: Some wondered if Mulvaney’s suspension of CFPB data collection was actually an attack on the Bureau
- Mulvaney’s Freezing of CFPB Data Collection Was Seen as an Attack on Bureau’s Enforcement Capabilities. When Mick Mulvaney halted the CFPB’s “collection of all personally identifiable information […] The move raised concerns that the bureau’s enforcement actions would be stalled.” Mulvaney wanted to freeze collection until “the CFPB improve[d] its data security systems.” [Kate Berry, “CFPB’s Mulvaney to Warren: Breaches justified data-collection halt,” American Banker, 01/19/18; James Kin and Bowen Ranney, “CFPB data collection freeze impacting CFPB examinations,” Ballard Spahr LLP, 12/15/17]
- Mulvaney’s CFPB Data Collection Freeze Hampered Efforts to Monitor Compliance of Financial Institutions. The move to freeze data collection caused confusion among enforcement staff and “hamper[ed]…efforts to monitor financial firms for compliance with consumer protection rules.” [Jessica Eisinger, “The Consumer Financial Protection Bureau’s declaration of dependence,” ProPublica, 02/15/18]
###