If you're one of the 25 million to 75 million U.S. creditcardholders whose account information has been gathered by theCFPB, your financial data may not be as safe as it should be.

The U.S. Governmental Accountability Office recently analyzedthe bureau's data security practices and was not pleased with the agency'sdata management practices when it came to credit cards and 12 otherfinancial services areas.

The September issue of GAOHighlights identified three major areas in which theCFPB's large-scale data collections tactics and informationmanagement methodologies leave significant room forimprovement.

“It literally took an act of Congress to obtain this informationbecause the unaccountable CFPB would not answer our questions,”Financial Services Committee Chairman Jeb Hensarling (R-Texas) said following Monday's release of theGAO report.

As part of its government mandate, the GAO examined laws,regulations and contracts pertaining to the CFPB's data collectionmethodologies, risk management in storing data and other securityissues regarding U.S. consumer financial information.

While the CFPB does have some control mechanisms in place, theagency needs to take even greater steps to keep consumer financialinformation secure, according to the report.

“The American people are rightfully worried about the massiveamounts of private information government collects on theirpersonal lives, especially in this age of criminal hackers, databreaches and identity theft,” Hensarling said.

He added, “This report reveals troubling deficiencies in theCFPB's data security procedures and privacy controls, as well as anapparent effort by the CFPB to skirt the consumer privacyprotections required by Congress in both the Dodd-Frank Act and thePaperwork Reduction Act.”

The GAO study revealed that the CFPB lacked written proceduresand comprehensive documentation for a number of processes,including data intake and information security riskassessments.

The lack of written procedures could result in inconsistentapplication of the established practices, the study noted, andindicated several steps necessary for the CFPB to bring its datacollection management and security in line.

The GAO recommended that the CFPB establish or enhance writtenprocedures for data intake, including reviews of proposed datacollections for compliance with applicable legal requirements andrestrictions; better anonymization of data; assessing and managingprivacy risks; monitoring and auditing privacy controls; anddocumenting results of information security risk-assessmentsconsistently and comprehensively.

The CFPB was also tagged for not implementing adequate privacycontrol steps and information security practices, which couldhamper the agency's ability to identify and monitor privacy risksand protect consumer financial data.

The GAO recommended that the CFPB develop a comprehensiveprivacy plan, undergo periodic independent privacy reviews, developnecessary staff privacy training and take other steps necessary toimprove its overall data security.

Finally, the report suggested that both the CFPB and the Officeof the Comptroller of Currency work more closely together underconsultation from the Office of Management and Budget to moreeffectively and securely share credit card data that each collectsto make sure each office is in compliance with PRA.

In addition to credit card transaction information, Hensarlingsaid the CFPB's programs include the monthly collection of 11million credit reports, 195 million mortgage loans and 700,000 autosales transactions linked with consumer credit data. Those numbersdon't include the National Mortgage Database, which was not fullyexamined by the GAO as part of this report.

“It seems the CFPB is trying to out-NSA the NSA when it comes toaccumulating information on Americans,” Hensarling said. “This is,without a doubt, an unwarranted and shocking intrusion into theprivacy of American citizens.”