The Government Accountability Office (GAO) recently reviewed five financial regulators to understand their systems for protecting personally identifiable information (PII)— which can be shared with Federal agencies, law enforcement, and contractors— and found room for improvement in certain areas.
According to GAO’s report, four of the five regulators didn’t fully follow key practices in certain areas, including documenting how they minimized IT systems’ collection and use of PII.
“All five financial regulators have created privacy programs that generally take steps to protect PII in accordance with key practices in Federal guidance,” wrote GAO. “However, four of the regulators did not fully implement key practices in other privacy protection areas.”
GAO adds that these regulators should take steps to mitigate weaknesses or the PII they collect, use, and share could be at an increased risk of compromise.
GAO made eight total recommendations for Federal financial regulators to use to better ensure the protection of PII that is collected, used, and shared. The Federal Deposit Insurance Corporation (FDIC) “generally agreed” with the recommendation it received:
- FDIC should identify and specify metrics used to determine whether privacy controls are implemented correctly and operating as intended
Meanwhile, the Federal Reserve, National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) did not agree or disagree with the recommendations they received, but rather described steps they were planning to take and how to implement them.
Among recommendations for the Federal Reserve include:
- Define a process for documenting the actions taken to minimize collection and use of PII;
- Information from systems maintained by Federal Reserve contractors in the Federal Reserve’s inventory of information systems that handle PII should be included;
- Identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended; and
- Establish a timeframe for including information on privacy controls to be tested within the Federal Reserve’s written privacy continuous monitoring strategy.
The NCUA got two recommendations, which are that NCUA should enhance its ability to query from an agency-wide inventory of information systems containing PII and define a process for documenting the actions it takes to minimize collection and use of PII.
Lastly, GAO recommended that OCC privacy program officials review intermediate process documentation, such as system privacy plans and security assessment plans.
