February 08, 2018

Gillibrand And 31 Senate Colleagues Demand Answers On Stalled Investigation Into Equifax Breach

Millions Of New Yorkers’ Personal Information Was Put At Risk Due To Equifax Breach

Washington, DC – U.S. Senator Kirsten Gillibrand, along with 31 Senate colleagues, sent a letter to Consumer Financial Protection Bureau (CFPB) Acting Director Leandra English and Office of Management and Budget Director Mick Mulvaney demanding answers on reports that the CFPB has halted its investigation into how credit reporting agency Equifax failed to protect the personal data of over 145 million Americans.

Gillibrand was joined by U.S. Senators Schatz (D-HI), Menendez (D-NJ), Warren (D-MA), Brown (D-OH), Shaheen (D-NH), Tester (D-MT), Van Hollen (D-MD), Udall (D-NM), Heitkamp (D-ND), Duckworth (D-IL), Cortez Masto (D-NV), Merkley (D-OR), Reed (D-RI), Markey (D-MA), Donnelly (D-IN), Smith (D-MN), Baldwin (D-WI), Peters (D-MI), Murray (D-WA), Sanders (I-VT), Blumenthal (D-CT), King (I-ME), Wyden (D-OR), Hassan (D-NH), Feinstein (D-CA), Warner (D-VA), Klobuchar (D-MN), Stabenow (D-MI), Durbin (D-IL), Murphy (D-CT), and Jones (D-AL).

“We are deeply troubled by recent news reports that, under Director Mulvaney’s leadership, the CFPB has stopped its investigation into the Equifax breach,” the Senators wrote. “The CFPB is currently the only federal agency with supervisory authority over the largest consumer reporting agencies. Consumer reporting agencies and the data they collect play a central role in consumers’ access to credit and the fair and competitive pricing of that credit. Therefore, the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary.”

According to reports, CFPB has not issued any subpoenas, sought testimony from key executives at Equifax, or proceeded with on-site examinations.

The Equifax breach exposed data that included customers’ names, Social Security numbers, birthdates, addresses, driver’s license numbers, and, for some consumers, credit card numbers. This data could easily be used by criminals to steal people’s identity or commit fraud. The impact on consumers whose data has been stolen is potentially devastating. As a result of identity theft and fraud, customers face the risk of having debt accrued in their name. They could suffer long-lasting damage to their credit, which could lead to them being denied loans, mortgages, employment, or even rental housing. To resolve the damage done by this data breach, they will likely spend months, if not years, trying to correct resulting errors and problems with their financial records.

The full text of the letter is available here and below:

Leandra English

Acting Director, Consumer Financial Protection Bureau

1700 G Street, NW

Washington, DC 20552

Mick Mulvaney

Director, Office of Management and Budget

725 17th Street, NW

Washington, DC 20503

Dear Acting Director English and Director Mulvaney,

We write to express serious concerns that, according to recent news reports, the Consumer Financial Protection Bureau (CFPB) may have halted an investigation into the massive Equifax data breach, which compromised the personal information of 145.5 million Americans. 

The Equifax breach exposed significant gaps in cybersecurity standards in an industry that collects a substantial amount of personal information on virtually every adult in the country.  The three largest consumer reporting agencies alone collect information on more than 200 million Americans—information that is used in more than 3 billion consumer reports a year.  The data collected and reported by consumer reporting agencies determines Americans’ access to credit and the cost of that credit for individuals and small businesses.  This data also impacts Americans’ ability to get a job or secure housing.  By letting criminals gain access to its databases, Equifax has put nearly half the US population at risk for identity theft and fraud, which can ruin the financial lives of its victims and increase risk in our financial system. 

Unfortunately, in the immediate aftermath of the breach, Equifax’s response caused more consumer harm and confusion.  Just to name a few examples, the company responded by promoting its affiliated paid credit monitoring service (i.e., LifeLock), asking consumers to waive their rights to access free credit monitoring, and charging consumers to protect their data by freezing their credit reports.  Not only do we need to better understand how this breach has impacted consumers, we also must ensure that consumer reporting agencies are taking the steps necessary to mitigate this harm—not misleading consumers or taking advantage of the situation for their own financial gain.

As established by the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB has a statutory mandate to implement and enforce federal consumer protection laws.  This mandate specifically includes protecting consumers from “unfair, deceptive, or abusive acts and practices” and ensuring that “federal consumer financial laws are enforced consistently.”  Dodd-Frank specifically includes the Fair Credit Reporting Act as one of the enumerated federal consumer financial laws.  The CFPB also has clear supervisory authority over the largest consumer reporting agencies.  Consumer reporting agencies and the data they collect play a central role in consumers’ access to credit and the fair and competitive pricing of that credit.  Therefore, the CFPB has a duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary. 

We are deeply troubled by recent news reports that, under Director Mulvaney’s leadership, the CFPB may have stopped its investigation into the Equifax breach.  According to these reports, the CFPB has not taken even the most preliminary steps to conduct an investigation.  While we are aware of reports that the Federal Trade Commission (FTC) may be taking the lead in investigating Equifax’s failure to maintain adequate data security standards, the CFPB still has a duty to investigate the harm to consumers and whether other federal consumer financial laws have been violated.  We are also concerned that the CFPB appears to be scaling back its supervision of large consumer reporting agencies.  The agency has reportedly scrapped plans to conduct on-site exams of Equifax and other consumer reporting agencies and turned down offers from the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency to help with such on-site exams.

The responsibility of consumer reporting agencies as custodians of consumers’ personal and financial information is of paramount importance to us and our constituents.  Several committees in both the House and Senate have held hearings to investigate the causes of the breach and the inadequate post-breach response.  The CFPB has a statutory mandate to participate in this process by conducting an investigation.  If that investigation exposes wrongdoing or consumer harm, the CFPB has the authority, and indeed a duty, to bring appropriate enforcement actions.

We respectfully ask for more information about the CFPB’s actions with respect to investigating the Equifax breach.  Specifically, please answer the following questions by February 19, 2018:

  1. In September, then-CFPB Director Richard Cordray announced that the CFPB would begin a probe into the Equifax breach.  Has the CFPB stopped this or any other investigation related to this matter?
    1. If so, why was that or any investigation halted?
    2. Who directed the ending of any investigation?
  2. Is the CFPB planning to conduct on-site exams of Equifax and the other consumer reporting agencies under its supervisory authority?
    1. Has the CFPB conducted an examination of a consumer reporting agency following the Equifax hack?
  3. If the CFPB is conducting an investigation, what specific steps has the CFPB taken pursuant to this investigation?
    1. Has the CFPB issued Civil Investigative Demands (CIDs)?
    2. Has the CFPB interviewed Equifax personnel?
    3. Have the CFPB personnel examined Equifax systems or gone onsite to Equifax facilities?
  4. Is the CFPB coordinating with the FTC, state law enforcement officials, or other Federal regulators in their investigations?

Thank you for your prompt attention to this important issue.

Sincerely,