Proposed rule would bar sale of Americans’ financial data to adversaries

The Consumer Financial Protection Bureau on Tuesday proposed a long-anticipated rule that would require data brokers to comply with credit bureau reporting standards, in an effort to prevent Americans’ financial data from being obtained by foreign rivals and cybercriminals that may use the information for intelligence gathering and exploitation.

The rule would lodge data brokers under a new compliance definition that would, in essence, direct them to follow the Fair Credit Reporting Act. It would also require those brokers to institute protections for personal identifiers used in credit reports — such as income or a FICO score — and mandate explicit consumer consent for sharing credit data.

The proposal — first floated in April by agency chief Rohit Chopra — was born out of an executive order signed by President Joe Biden earlier this year, which was focused on preventing Americans’ sensitive personal data from falling into the hands of foreign adversaries.

The Fair Credit Reporting Act was enacted in 1970 to ensure accuracy, fairness and privacy in the collection and use of consumer credit information. It grants consumers rights to access and dispute their credit reports, limits who can access this data and regulates credit reporting agencies with enforcement by the federal government and state attorneys general.

The data broker industry collects and sells detailed information about individuals and packages their everyday habits and behaviors into data points that are used for targeted advertising, credit scoring, risk assessments and other commercial matters. The CFPB contends that national security threats against the U.S. would increase if such data were to be obtained by nation-state spies or cybercrime operatives. 

The dynamic also presents personal safety risks for vulnerable populations, law enforcement, judges and domestic violence survivors, whose sensitive information can be easily purchased and misused, the agency argued.

“Today’s proposed rule is a major step forward to ensure that companies trafficking in Americans’ most sensitive information face real consequences for violating long-standing law and for putting people and our country at risk,” CFPB head Rohit Chopra said in a news conference with reporters.

The Biden administration is seeking to prohibit transactions that data brokers make to “countries of concern” on grounds that such data can be surreptitiously processed by foreign hackers or spies, enabling myriad national security risks and exposing American citizens to surveillance, blackmail and other privacy violations. A separate DOJ rulemaking proposal tied to the executive order was released in October.

A coalition of former officials and groups representing federal employees and military servicemembers last month pressed CFPB to adequately address national security risks tied to the collection, aggregation and sale of Americans’ personal data by data brokers.

“The sale of Americans’ financial data is particularly valuable to malicious actors, because it provides exploitable insights — that in some cases, are not found elsewhere — into personal debts, gambling problems, marital fissures, overseas bank accounts, and other sensitive matters that can be opportunities for blackmail, pressure, and recruitment,” wrote the group.

A CFPB official, who spoke on background per agency-set guidelines, said that sensitive financial data could be used to target victims more precisely. For instance, a U.S. military member with a low credit score may be targeted with a phishing email, aiming to trick them into handing over data that may improve their creditworthiness, when in reality, the scam would steal their personal information or classified workplace assets.

“The CFPB developed this proposed rule based on extensive market monitoring that revealed widespread evasion of consumer protections,” the agency said in a press release Tuesday. “The agency found that data brokers routinely sidestep the [Fair Credit Reporting Act] by claiming they aren’t subject to its requirements — even while selling the very types of sensitive personal and financial information Congress intended the law to protect.”

An investigation last month revealed that practically anyone could purchase data that maps the day-to-day patterns of U.S. military servicemembers and intelligence analysts in Germany, as well as contractors that worked on-site at sensitive locations. Last year, Duke University researchers said they were able to purchase reams of sensitive data on American servicemembers and their families for as little as 12 cents per record.

Myriad hacking incidents over the past decade have exposed the personal data of federal employees, military members and ordinary Americans. An infamous breach of the Office of Personnel Management that surfaced in 2015 helped galvanize attention to the issue after hackers pilfered data on millions of current and former federal workers.

A well-documented 2017 hack at Equifax also compromised the data of some 150 million Americans and received harsh congressional oversight. It was later attributed to Chinese nation-state operatives.

The agency is seeking comments on the proposed rule before March 3 of next year, requiring the incoming GOP administration to oversee its implementation after President-elect Donald Trump takes office in January. The CFPB official said there is “broad bipartisan recognition that data brokers pose real dangers, both to Americans’ privacy and to national security.”