Cybersecurity Requirements for CRAs
Share this article:
Written by: Eagle Eye Screening Solutions
Key Takeaways
- CRAs handle sensitive information about people. Failure to keep it secure can result not only in damage to those individuals but also in fines, lawsuits, and damage to the CRA's reputation.
- CRAs are subject to data security regulations from federal regulatory agencies and also under state law.
- There are cybersecurity best practices that all CRAs should observe.
Why CRAs Require Cybersecurity
The importance of CRA security became evident in 2017 when Equifax was hacked, exposing the personal information of over 100 million people. While not every CRA is as large as Equifax, there aren’t any that are so small that a security breach wouldn’t be a major event. No CRA wants to be responsible for thousands or millions of confidential records in the hands of the bad guys.
Leaked records could include social security numbers, credit card information, and other data that malicious parties can use to commit crimes such as identity theft and fraud. In addition to the harm to innocent citizens, there’s the damage to the reputation of the CRA. There might be fines from enforcing agencies. CRAs might find themselves appearing in industry news in a way that they don’t like. Regulators might come in and micromanage the CRA in establishing the safeguards that should have been there all along.
CRAs need to retrieve, store, and deliver sensitive data. They cannot fulfill their obligations to employers and other clients if they don’t discover and report the
relevant background information. However, they must at the same time prevent this information from being intercepted and misused. There are known industry best practices for countering hackers’ attacks, and it’s incumbent on every CRA to understand and implement these.
What Data Security Regulations and Laws Are Cras Subject To?
There is not a single overarching federal law addressing cybersecurity. Data security for CRAs is governed by state laws and federal agency regulations.
Gramm Leach Billey Act
The Gramm Leach Billey Act (GLBA) became law in 1999. GLBA and the Fair Credit Reporting Act (FCRA) are the principal laws that dictate how CRAs must protect consumer information. As part of the GLBA, the Safeguards Act mandates that every CRA must have a comprehensive program to keep consumer data from falling into malicious hands.
GLBA authorizes the Federal Trade Commission to create rules and enforce them. The FTC issued the Safeguards Rule. Every CRA must have physical, technical, and administrative safeguards. These safeguards must identify foreseeable risks, both internal and external, to the security, confidentiality, and integrity of the data CRAs handle. CRAs must mitigate risks that could result in unauthorized disclosure or misuse of consumer data.
Consumer Financial Protection Bureau
The 2010 Dodd-Frank Act, largely a response to the 2008 mortgage crisis, created the CFPB, which is an agency that regulates the way banks and other financial institutions deal with consumers. Starting in 2018, the CFPB started examining CRAs with respect to their cybersecurity practices. It became an additional agency to serve as a watchdog over CRA data security practices.
State Laws
All 50 states have legislation that requires CRAs to protect confidential consumer information. The laws tend to be similar to the regulations put out by the FTC. Among other particulars, they require that CRAs inform consumers if there is a data breach.
Cybersecurity Requirements for Consumer Reporting Agencies
CRAs must comply with all laws and regulations to avoid harming consumers and to avoid legal penalties, lawsuits, and damage to their reputations. There are industry best practices that strengthen an entity’s cybersecurity and minimize the risk of a security breach that compromises
data privacy. These include:
- Physical security. The first step in cybersecurity is to keep the wrong people out of places where sensitive data resides. There must be controls to prevent unauthorized access to sites where data is stored and accessed. Any hard copies with customer information should be destroyed – shredded, incinerated, or pulped – when they’re no longer needed.
- Data access controls. Limit user IDs and passwords to those who need access. Strictly enforce policies for changing passwords frequently and against sharing user IDs. Enforce multifactor identification. Terminate access promptly when someone leaves or transfers. Periodically review user lists and user activity to ensure data is accessed on an as-needed basis only.
- Infrastructure maintenance. Keep firewalls, routers, routers, personal computers, and all hardware and software current with updates and patches. Disable unnecessary services on devices.
- Encryption. Use strong encryption protocols on both stored data and transmission.
- Monitoring. Put logging mechanisms in place to detect unauthorized access and report any security incidents. Be able to assign accountability and reconstruct events when necessary.
- Testing. Perform penetration testing to detect points of vulnerability.
- Data protection. In addition to encryption, regularly back up data to a protected location. Do not allow data to be stored locally on tablets and mobile devices. Conduct exercises to test data recovery procedures.
- Network security. Follow industry best practices in creating a secure network.
- Written policies. Maintain an up-to-date reference source with complete and detailed cybersecurity policies and procedures. Ensure that everyone knows it exists and where to find it.
- Education. Conduct training for all employees who deal with customer data. Ensure they are familiar with regulations concerning compliance, proper data handling, and protection of consumer data and consumer privacy.
Bottom Line
Hackers are searching for confidential data 24/7. Any vulnerability in a CRA’s cybersecurity practices, from inadequate protection of passwords to firewall failure to physical site security, could put that CRA in the headlines in a negative way. Every CRA must be constantly vigilant to ensure they are observing industry best practices in their collection, maintenance, and transmission of confidential data.
Cybersecurity requirements for CRAs are established and enforced by the FTC under the Gramm Leach Billey Act of 1999. The Consumer Financial Protection Bureau has also started to examine CRA cybersecurity practices. All 50 states have enacted legislation addressing CRA cybersecurity.
While every CRA is responsible for conforming with regulations, they should look even more to the latest cybersecurity best practices to ensure that they are adequately protecting sensitive data. At Eagle Eye Screening Solutions, we specialize in comprehensive background checks and robust cybersecurity measures to protect sensitive information. Our cutting-edge automated systems and extensive experience ensure you receive fast, accurate, and secure reports. Contact us today to learn how we can help safeguard your business from potential cyber threats and maintain compliance with all regulatory requirements.
Connect with Us:
