GAO finds holes in privacy laws

A new Government Accountability Office report concludes that privacy laws do not fully protect personal data when sold by information resellers. GAO suggests that Congress tighten the laws and provide civil penalties to enforce them.

The report, released today, examines how financial institutions such as banks, securities firms and credit card companies, use personal data obtained from information resellers. Agency officials assessed documents and interviewed major resellers and financial institutions for almost a year.

GAO said the country’s primary federal privacy and data security laws – the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA) – have limited ability to police infractions or punish resellers that flout the law.

FCRA requires companies to safeguard and restrict their use and dissemination of consumer information that they analyze when making eligibility determinations for insurance, loans, credit and mortgages. Some companies use the data to comply with the Patriot Act.

GLBA’s privacy provisions cover the sharing of nonpublic data collected by or acquired only from financial institutions.

GAO found the laws had limited jurisdiction and that the sensitive personal data resellers amassed “is often not covered by explicit statutory safeguarding requirements.”

As an example, the report states that some resellers maintain Social Security numbers in antifraud databases or household incomes in marketing databases “that they do not consider subject to FCRA’s or GLBA’s safeguarding provisions.”

The report also found that since 1972 the Federal Trade Commission, the primary agency responsible for enforcing privacy law compliance, has initiated more than 20 formal enforcement actions against resellers, including the three national credit reporting bureaus. But the FTC has no civil penalty authority under GLBA.

GAO recommended that Congress consider amending the laws to require resellers to safeguard all sensitive personal data and give the FTC civil penalty authority.

About the Author

David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.