CRAs, or consumer reporting agencies, regularly handle sensitive information about consumers. However, there are a few rules and regulations they must follow. In this article, we’ll examine why CRAs require comprehensive compliance and information security to help shed some light on this requirement.
Reasons Why CRAs Require Comprehensive Compliance and Information Security
In 2017, Equifax, a very large CRA, was compromised by hackers. This led to the information of 145.5 million consumers being leaked. Normally, these companies will keep this data secure before selling it, but hackers have always found ways to steal the data.
Consumers themselves have very little control over what a CRA can collect. Although government regulation is high in this industry, many companies aren’t held accountable to federal regulators. The Consumer Financial Protection Bureau doesn’t factor in security breaches as part of examinations of CRAs.
Because of oversight and underenforcement, many CRAs have been able to get away with security violations and illegal practices. Government investigations of larger CRA’s have unearthed many breaches and violations, which the CRAs had to settle in court.
CRAs handle sensitive information, ranging from social security numbers, credit card information, and even businesses’ insurance information. Hackers with malicious intent can steal this information and commit various crimes. From identity theft, scams, and more, criminals have no limit on what they can do with this information.
Which Laws and Regulations are CRAs Subject To?
Years ago, in 1999, the Gramm Leach Billey Act (GLBA) was enacted. Today, along with the Fair Credit Reporting Act (FCRA), it remains the main law concerning CRAs and how they must protect consumers’ information from falling into the wrong hands. The GLBA itself has several rules that deal with different aspects of CRA information security.
Under the GLBA, the Safeguards Act was issued to keep consumer information safe. CRAs must have a complete and comprehensive security program to ensure the security of customers’ sensitive information. The program must contain safeguards of various natures, physical, technical, and administrative, that can identify threats to the information’s confidentiality.
The Safeguards Act also established a standard CRAs must follow and maintain. The Federal Trade Commission received enforcement powers to ensure these CRAs are complying with the data security standards.
The FTC also has the power under Section 5 of the FTC Act to penalize CRAs that fail to maintain consumer data confidentiality. This also includes unfair and illegal acts.
Other than federal law, all 50 states have laws that require CRAs to protect sensitive consumer information. These state laws more or less resemble the standards the FTC Act upholds. Most importantly, CRAs must notify all consumers in the event of a data breach.
For example, Equifax had to agree to a Consent Order with state agencies after its 2017 security breach. The company was required to improve its cybersecurity, internal control structure, and oversight of the security program. Equifax also had to provide regular and scheduled follow-up reports to the state, in addition to other actions as necessary.
Other requirements of the Consent Order include compiling a list of remediation projects in response to the breach, the need for a third-party organization to validate said projects and report to the state, and more.
In addition to these security measures, CRAs are obligated to bolster their cybersecurity efforts. They must work with state agencies such as the Federal Financial Institutions Examination Council (FFIEC) and the Financial and Banking Information Infrastructure Committee (FBIIC).
Compliance and InfoSec: The Logical Choice
CRAs require supervision and compliance to consumer information security laws due to the information they handle. Criminals can easily misuse the information if they get their hands on it. If you’re interested in background checks and privacy, please visit our website today to learn more!