Add the Consumer Financial Protection Bureau to the list of federal agencies expected to punish Equifax for the massive security breach that exposed the personal data of around 143 million Americans.
According to a Reuters news report, the consumer finance watchdog, created after the 2008 financial crisis, will utilize the wide-ranging powers it has used with Wall Street to come down on Equifax.
The Federal Trade Commission and the Department of Justice are already investigating the cyberattack. In addition, Equifax is being sued by the state of Massachusetts, and is also facing a class-action lawsuit filed on behalf of 28 million small businesses impacted by the breach and another suit just filed by Summit Credit Union.
Because Equifax is not strictly a financial company, there was uncertainty over whether the CFPB has the power to penalize the firm for the breach. But legal experts said it is likely to weigh in using powers it wields under the 2010 Dodd-Frank Act.
“Its Dodd-Frank mandate gives the CFPB authority to investigate Equifax even without cybersecurity rules,” said Quyen Truong, a partner at law firm Stroock & Stroock & Lavan who was the assistant director and deputy general counsel for the CFPB until early 2016.
The CFPB and legal experts said the regulator could pursue Equifax under an aspect of the Dodd-Frank Act that bans unfair, deceptive and abusive acts and practices (UDAAP). Based on this aspect of the law, the CFPB even fined Equifax in January for allegedly deceiving consumers about the usefulness and cost of credit score information they bought.
A CFPB spokesperson declined to say whether the agency already has plans to open an investigation. In addition to forcing companies to take certain actions or desist from damaging behaviors, the CFPB can fine them up to $1 million per day if a company knowingly violates the law.
Last week, U.S. Senator Elizabeth Warren wrote a letter to the CFPB, which she helped create, stating that it may require additional powers to ensure closer federal oversight of credit reporting agencies.