Stand up for facts and support PolitiFact.
Now is your chance to go on the record as supporting trusted, factual information by joining PolitiFact’s Truth Squad. Contributions or gifts to PolitiFact, which is part of the 501(c)(3) nonprofit Poynter Institute, are tax deductible.
I would like to contribute
A Republican group says that when Richard Cordray worked for the federal government, he collected Americans’ financial data in secret and then the data was hacked.
"Cordray was supposed to protect Americans from financial crime," says a TV ad by the Republican Governors Association in Ohio. "Instead, Cordray secretly collected hundreds of millions of credit card accounts and mortgages. Worse, Cordray failed to protect our information. It was hacked over 200 times. Your data compromised."
The ad makes it sound like Cordray collected information on his own initiative, but it’s actually referring to Cordray’s role in the federal government as the first director of the Consumer Financial Protection Bureau, formed under President Barack Obama over the objections of Republicans.
It’s misleading to state that Cordray collected data in secret because the law allowed data collection. It’s also misleading to suggest that there was a hack, which implies an outsider broke into the data. However, there was a security breach. We’ll explain the full context.
Cordray left his job at the consumer bureau in 2017, and Mick Mulvaney, a critic of the bureau, took over.
The 2010 Dodd-Frank Act created the bureau and gave it authority to gather and compile information from a variety of sources, such as consumer complaints, voluntary surveys, surveys and interviews with consumers and financial service providers, and reviews of available databases. The law also contained privacy provisions.
We found examples dating back to 2010 of supporters and opponents commenting on the data collection. In an article in Bank Technology News, Sen. Elizabeth Warren, D-Mass., praised the idea of essential "real-time data collection" so that the bureau could be an "effective cop." An editorial in the Orange County Register quoted an expert who raised concerns about the bureau’s plans to collect data on consumers transactions.
A federal Government Accountability Report in 2014 discussed in detail how the bureau collected data from financial institutions and financial aggregators.
Jeff Sovern, who teaches consumer protection law at St. John’s University, said it would be hard to collect information about the functioning of consumer financial markets without seeing information about credit cards and mortgages.
"The bureau was established in part to keep the mortgage lending that led to the Great Recession from happening again, after all," he said.
The ad contained no citations for its point, although association spokesman Jon Thompson sent us news articles pertaining to both. Thompson pointed to Cordray’s testimony Jan. 28, 2014, before a House committee.
U.S. Rep. Sean Duffy, R-Wis., asked Cordray: "Would you object to getting permission from consumers, those people who you work for, before you collect and monitor their information?"
Cordray said if the bureau had to get individuals’ permission before it sought aggregate data about the credit card market, that "would have the purpose of completely making it impossible for the agency to have any kind of data to know what's going on in these markets."
Todd J. Zywicki, a George Mason University law professor and critic of the bureau under Cordray, said that most Americans don’t know that their private information is transmitted from banks to the government.
"In that sense, ‘secret’ seems like an accurate term to me," he said.
(News reports said that the Trump administration considered Zywicki to take over the bureau.)
As for the claim that the information was hacked, the RGA pointed to Mulvaney’s response to a question during an April 12, 2018, Senate committee if the data had been hacked.
Mulvaney replied: "I want to be careful about what I say and I'll be happy to talk about this more in private, but we have been able to document about 240 lapses in our data security."
Mulvaney said an additional 800 lapses were suspected but hadn’t been confirmed.
Mulvaney provided similar information in January in a letter to Warren stating that before his tenure there were 233 confirmed breaches of personally identifiable information within the bureau’s consumer response system by the bureau or contractors. To put that number in context, the consumer bureau has handled more than one million complaints.
(A spokesman for the bureau provided PolitiFact with the letter sent to Warren but declined to answer questions.)
Mulvaney told senators he instituted a data collection freeze and had hired an outside party to test the integrity of the system.
On May 31, Mulvaney told his staff in an email that "after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift that hold. The independent review concluded that ‘externally facing bureau systems appear to be well-secured.’"
Zywicki said that the use of the term "hack" in the ad is not correct.
"There have been hundreds of compromises of consumer information, but mainly they have been by inadvertently disclosing personally identifiable information by the contractors who collect the information that gets dumped into the consumer complaint database," he said.
A Republican Governors Association ad said that Richard Cordray "secretly collected hundreds of millions of credit card accounts and mortgages. Worse, Cordray failed to protect our information. It was hacked over 200 times."
It’s misleading to state that the data was collected in secret when the law that established that the bureau could collect data to protect consumers. If some consumers didn’t realize the data would be collected, that doesn’t mean it was a secret.
The use of the word "hack" is the wrong term -- it implies some nefarious person hacked into the data, and that’s not the case. There were breaches of personal information by the bureau or contractors.
We rate this claim Mostly False.
Republican Governors Association, Ad, July 18, 2018
Congress.gov, H.R.4173 - Dodd-Frank Wall Street Reform and Consumer Protection Act, Became law July 21, 2010
Boston Globe, "Consumer bureau chief defends big-data program," April 4, 2013
Orange County Register, "The next 2,000-page bill," May 11, 2010
US News, "How the New Consumer Bureau Will Help You," Sept. 15, 2010
Bank Technology News, "Warren's CFPB Embraces Big Data," December 2010
The Washington Examiner, "Federal consumer bureau data-mining hundreds of millions of consumer credit card accounts, mortgages," Jan. 29, 2014
Investor’s Business Daily, "Forget Facebook, Here’s the Real Privacy Scandal," April 13, 2018
Government Accountability Office, "Consumer Financial Protection Bureau: Some Privacy and Security Procedures for Data Collections Should Continue Being Enhanced," Sept. 22, 2014
Inspector General, Report on the Independent Audit of the Consumer Financial Protection Bureau’s Privacy Program, Feb. 14, 2018
CyberScoop, "Mulvaney: CFPB hit by over 200 data 'lapses,'" June 12, 2018
CyberScoop, "After security testing, CFPB to resume collecting consumer data," June 1, 2018
Mick Mulvaney, Acting Director of the Consumer Financial Protection Bureau, Letter to U.S. Sen. Elizabeth Warren, Jan. 18 2018
Consumer Financial Protection Bureau, Accessed Aug. 13, 2018
United States Senate Banking, Housing, and Urban Affairs Committee, transcript of Mick Mulvaney hearing, April 12, 2018
House Financial Services Committee hearing on the Consumer Financial Protection Bureau's semi-annual report to Congress, April 11, 2018
American Banker, "CFPB's Mulvaney to Warren: Breaches justified data-collection halt," Jan. 19, 2018
American Banker, "Mulvaney response to CFPB data security gaps baffles cyber experts," April 23, 2018
PolitiFact, "Carly Fiorina says Consumer Financial Protection Bureau has 'no congressional oversight,'" Nov. 14, 2015
Interview, Jon Thompson, Republican Governors Association spokesman, July 26, 2018
Interview, Mike Gwin, Richard Cordray spokesman, July 27, 2018
Interview, Sam Gilford, Consumer Financial Protection Bureau spokesman, July 30, 2018
Interview, Jeff Sovern, St. John’s University law professor, July 30, 2018
Interview, Todd J. Zywicki, George Mason University law professor, Aug. 10, 2018
Read About Our Process
In a world of wild talk and fake news, help us stand up for the facts.