The CFPB’s Office of Inspector General has issued a report indicating that, in performing an audit of the CFPB’s encryption of data on mobile devices issued to staff members, the OIG found the CFPB had not yet completed all of the steps previously identified by the OIG to address the risk created by unaccounted-for-laptops. Because of the sensitive nature of the information, the OIG only made an executive summary of the report publicly available.
According to the summary, the CFPB has been unable to provide a full accounting of all laptops that have been assigned to users since the CFPB’s establishment. In June 2016, the OIG issued an “early alert memorandum” to the CFPB in which the OIG identified a number of steps the CFPB should take to gain assurance that the unaccounted-for-laptops did not prevent an unacceptable level of risk to the CFPB and to strengthen technical controls over protecting sensitive data.
The OIG found that the CFPB currently has an effective process for encrypting data on its mobile devices, its encryption methods meet federal requirements, and it uses adequate password complexity and reset rules. However, the OIG also found that the CFPB had not yet completed all of the steps outlined in the OIG’s 2016 memo related to the data access of individuals to whom the unaccounted-for-laptops were assigned. In the new report, the OIG suggests additional actions the CFPB can take to strengthen its efforts to develop and implement an insider threat program and incident containment strategies.
Reportedly due to concerns about the CFPB’s data security systems raised in part by prior OIG reports, Mick Mulvaney, President Trump’s designee as CFPB Acting Director, imposed a freeze on the CFPB’s collection of personally identifiable information. The freeze has been criticized by Senator Elizabeth Warren, who called it a pretext for weakening the CFPB.