Skip to Content

Connolly and Krishnamoorthi Demand Answers from CFPB on the Reported Slowdown of the Investigation into the 2017 Equifax Data Breach

Today, Reps. Gerry Connolly (D-VA) and Raja Krishnamoorthi (D-IL) sent a letter to Consumer Financial Protection Bureau Acting Director Mick Mulvaney requesting his response to recent reports that the Bureau is slowing down or ending its investigation into the September 2017 data breach of Equifax, one of the nation’s largest consumer credit reporting agencies. The breach exposed the personal information of 143 million Americans, and its existence was shamefully kept secret from the American public for six weeks. Acting Director Mulvaney’s predecessor launched an investigation into this massive breach of public trust, and it is imperative that current CFPB leadership commit to seeing this investigation through to its completion.

“Consumers must have faith that entities which house personally identifiable information such as addresses, Social Security Numbers, and other sensitive information are using industry best practices to secure this data,” the members wrote. “The immense scale of the breach combined with Equifax’s failure to alert the public for six weeks endangered the privacy of millions of consumers. By slowing down or halting CFPB’s investigation into the Equifax data breach, the Bureau is sending a signal to both businesses and consumers that there will be no consequences to future data breaches.”

“The core mission of the Consumer Financial Protection Bureau is to provide the American public with advocacy and security in the face of harmful assaults against their basic rights as consumers,” said Rep. Connolly. “If Acting Director Mulvaney has indeed decided to phase out the investigation into the Equifax breach, then he has completely abdicated his responsibility to the American consumers he swore to protect.”

To better understand the status of CFPB’s investigation, Connolly and Krishnamoorthi asked Acting Director Mulvaney to provide answers to the following questions:

  1. What decisions have you personally made regarding CFPB’s investigation into the Equifax data breach?
  2. Has CFPB assessed whether Equifax has complied with federal consumer financial law?
  3. What agencies is CFPB working with regarding Equifax’s data breach and response?
  4. Has CFPB declined offers by the Federal Reserve, Federal Deposit Insurance Corp, or Office of the Comptroller of the Currency to help with on-site exams of credit bureaus?
  5. Will CFPB by itself or in conjunction with partner agencies conduct on-the-ground tests of how Equifax protects data? If so, when do you expect these tests to occur?
  6. Does CFPB plan to seek sworn testimony from Equifax executives prior to closing this matter?
  7. What steps has CFPB taken or does CFPB plan to take in looking into the Equifax data breach?
  8. Has CFPB communicated with credit reporting agencies regarding their business practices to prevent future breaches and consequential harm to the public?
The full letter follows and is available here:


February 9, 2018

The Honorable Mick Mulvaney
Acting Director
Consumer Financial Protection Bureau
1700 G Street NW
Washington, DC 20552

Dear Director Mulvaney:

We were disturbed by news reports that the Consumer Financial Protection Bureau (CFPB) is either slowing down or no longer investigating Equifax Inc.’s September 2017 data breach . As a result of this data breach, hackers stole personal data Equifax collected on 143 million Americans, some of whom had not consented to providing Equifax with their information.

According to news reports, the CFPB has not ordered subpoenas against Equifax or sought sworn testimony from its executives. Additionally, the Bureau has also failed to develop previously planned tests of how Equifax protects data. If true, this inaction flies in the face of the CFPB’s responsibility to protect consumers. It is a rejection of CFPB’s authority to act in response to the failure of institutions to engage in reasonable data security practices in connection with the collection and maintenance of consumer report information.

Consumers must have faith that entities which house personally identifiable information such as addresses, Social Security Numbers, and other sensitive information are using industry best practices to secure this data. The immense scale of the breach combined with Equifax’s failure to alert the public for six weeks endangered the privacy of millions of consumers. During this time, three Equifax executives sold nearly $2 million worth of the company’s shares. The data breach also exposed the company’s lax data security. By slowing down or halting CFPB’s investigation into the Equifax data breach, the Bureau is sending a signal to both businesses and consumers that there will be no consequences to future data breaches.

We urge you to continue CFPB’s investigation into the Equifax data breach that was started under your predecessor. According to a statement released by your senior advisor John Czwartacki, “CFPB is working with [your] partners across government on Equifax’s data breach and response.” To that end, please provide us with answers to the following questions:

1) What decisions have you personally made regarding CFPB’s investigation into the Equifax data breach?
2) Has CFPB assessed whether Equifax has complied with federal consumer financial laws?
3) What agencies is CFPB working with regarding Equifax’s data breach and response?
4) Has CFPB declined offers by the Federal Reserve, Federal Deposit Insurance Corp, or Office of the Comptroller of the Currency to help with on-site exams of credit bureaus?
5) Will CFPB by itself or in conjunction with partner agencies conduct on-the-ground tests of how Equifax protects data? If so, when do you expect these tests to occur?
6) Does CFPB plan to seek sworn testimony from Equifax executives prior to closing this matter?
7) What steps has CFPB taken or does CFPB plan to take in looking into the Equifax data breach?
8) Has CFPB communicated with credit reporting agencies regarding their business practices to prevent future breaches and consequential harm to the public?

Thank you for your attention to this matter.

Sincerely,

###

Back to top