On March 26, 2019, the Government Accountability Office (GAO) publically released a report issued on February 21, 2019, entitled, “The Actions Needed to Strengthen Oversight of Consumer Reporting Agencies,” in which the GAO recommends, among other things, that Congress consider giving the FTC civil penalty authority to enforce initial violations of GLBA’s privacy and safeguarding provisions.
This report is one in a series of reports that respond to a request from Congress concerning a major credit reporting agency’s (CRA) 2017 consumer information data breach. Specifically, this report examines, among other things, the oversight of CRAs and the FTC’s ability to enforce CRA compliance.
The FTC currently has authority to seek injunctions and disgorgements for initial violations of GLBA’s privacy and safeguarding provisions. However, the FTC is often unable to determine the monetary harm suffered by individual consumers. Further, the GAO believes that since consumers may not be aware that their identities have been stolen as a result of a breach, the related harm may occur years in the future.
Thus, according to the GAO, having civil penalty authority for these GLBA provisions would allow the FTC to fine a company for a violation such as a data breach, without needing to prove the monetary harm suffered by individual consumers. Importantly, Andrew Smith, the Director of the Bureau of Consumer Protection at the FTC, also testified before Congress and agreed with the GAO’s recommendation that the FTC be given civil penalty authority for initial violations of GLBA.