Multiple state and federal laws ensure that consumer reporting agencies (CRAs) properly handle sensitive consumer information. Beginning in 2018, the CFPB began examining nationwide CRAs on their cybersecurity practices. The FTC also has important responsibilities for setting cybersecurity standards for CRAs.

Consumer reporting agencies (CRAs) are subject to many different federal and state laws and regulations related to properly handling sensitive consumer information..

The Gramm Leach Bliley Act
The main law mandating that CRAs ensure the security and confidentiality of personal information is the Gramm Leach Bliley Act (GLBA) enacted in 1999. As a Financial Institution under GLBA, credit bureaus are subject to significant regulation relating to data security through Section 501(b), which requires the Federal Trade Commission (FTC) to promulgate rules to require financial institutions to have measures in place to keep customer information secure.

The Safeguards Rule under GLBA
Pursuant to its GLBA mandate, the FTC issued the Safeguards Rule requiring financial institutions to have a comprehensive information security program in place to keep customer financial information secure. This comprehensive program must contain administrative, technical, and physical safeguards that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, or other compromise. The Rule also specifies other elements of the information security program that financial institutions under the FTC’s jurisdiction must design and implement. The FTC’s Safeguards Rule maps to the same set of standards that are required of banks through their banking regulators. In addition, the FTC has enforcement power to insure compliance with these data security standards.

The FTC Act
More generally, the FTC also retains general authority to enjoin violations of unfair and deceptive acts and practices under Section 5 of the FTC Act. The FTC has used this authority more than 60 times to bring enforcement actions against businesses for allegations of unreasonable information security.

Examination by the Consumer Financial Protection Bureau
In 2010, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB), which has the authority to enforce multiple federal consumer laws against CRAs, as well as to write rules and to supervise and examine them. While the CFPB does not have the authority to enforce or exert supervisory authority over the GLBA data security provisions, it does have a broad mandate to protect consumers from unfair, deceptive or abusive acts or practices under the Dodd Frank Act. In July of 2018, the CFPB announced that it used this consumer protection authority to supervise and examine the information security practices at the nationwide CRAs. Therefore, the three national credit bureaus have been subject to supervision and examination of their data security practices by the CFPB in addition to being subject to the enforcement power of the FTC under the GLBA Safeguards rule.

State Requirements and Enforcement
In addition to federal agencies, the CRAs are also subject to state authority for how they protect personal consumer information. Foremost, all 50 have states have data breach laws which require the CRAs to notify consumers of a data breach. While most of these breach laws exempt financial institutions that are supervised by prudential banking regulators and subject to GLBA, CRAs receive no such exemption. In addition, at least 13 states have laws that require information safeguards similar to those in GLBA and three states have enacted specific information security duties that apply to CRAs. Almost all states have broad consumer protection laws that prohibit unfair and deceptive acts and practices similar to the FTC Act; these laws can be used to be bring actions for inadequate information security. It is also noteworthy that a majority of states require organizations to protect the confidentiality of Social Security numbers. These state laws are enforced by the state attorney general or other state official.

Contractual Obligations Imposed Due to Other Regulatory Frameworks
Even beyond these direct governmental requirements, CRAs are also subject to substantial additional legal requirements that result from doing business with other major financial institutions. The information security programs at many credit bureau financial institution customers are supervised by federal prudential regulators. Under comprehensive and detailed information security standards published by the Federal Financial Institutions Council (FFIEC), these financial institutions oversee the cybersecurity programs of the CRAs they work with.

The nationwide CRAs also comply with the Payment Card Industry Data Security Standard (“PCI DSS”), a set of cybersecurity requirements that are mandatory for all organizations that store, process and transmit sensitive payment card information of the major credit card associations. All three of the nationwide CRAs have been certified by the card networks as “PCI DSS Validated Service Providers.” PCI DSS compliance validation is required annually.