The Consumer Financial Protection Bureau is working through the fallout of a major data breach.
Politico reports the CFPB claimed one of its employees forwarded the personal information of more than a quarter-million consumers to a personal email account.
The employee was fired when the data breach came to light. It was reported the employee sent spreadsheets with names and transaction-specific account numbers related to those 256,000 consumer accounts at a single institution.
CFPB spokesperson Sam Gilford said in the Politico article, the bureau has referred the matter to the inspector general and is “taking appropriate action to address this incident.”
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” Gilford said. “All CFPB employees are trained in their obligations under bureau regulations and Federal law to safeguard confidential or personal information.”
Agency staff told lawmakers they had learned of the breach Feb. 14 in an email notifying them about the “major incident” that they sent on March 21.
The CFPB incident comes as the deadline for the implementation of the Federal Trade Commission’s Safeguards Rule nears.
The FTC Safeguards Rule deadline is June 9. It was extended from December in November.
According to the FTC, the Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
The updated rules approved in October 2021 require financial institutions to designate an individual to oversee their security program, develop a written risk assessment, limit and monitor who can assess customer information, encrypt information, train security personnel, develop a response plan, assess security practices of service providers and implement multi-factor authentication for any individual accessing customer information.
Penalties can range up to $46,517 per violation.
The Texas Independent Automobile Dealers Association is offering a course on the requirements of the Safeguards rule. Register here.