Connolly and Krishnamoorthi Demand Answers from CFPB on the Reported Slowdown of the Investigation into the 2017 Equifax Data Breach
Today, Reps. Gerry Connolly (D-VA) and Raja Krishnamoorthi (D-IL) sent a letter to Consumer Financial Protection Bureau Acting Director Mick Mulvaney requesting his response to recent reports that the Bureau is slowing down or ending its investigation into the September 2017 data breach of Equifax, one of the nation’s largest consumer credit reporting agencies. The breach exposed the personal information of 143 million Americans, and its existence was shamefully kept secret from the American public for six weeks. Acting Director Mulvaney’s predecessor launched an investigation into this massive breach of public trust, and it is imperative that current CFPB leadership commit to seeing this investigation through to its completion.
February 9, 2018
The Honorable Mick Mulvaney
Consumer Financial Protection Bureau
1700 G Street NW
Washington, DC 20552
Dear Director Mulvaney:
We were disturbed by news reports that the Consumer Financial Protection Bureau (CFPB) is either slowing down or no longer investigating Equifax Inc.’s September 2017 data breach . As a result of this data breach, hackers stole personal data Equifax collected on 143 million Americans, some of whom had not consented to providing Equifax with their information.
According to news reports, the CFPB has not ordered subpoenas against Equifax or sought sworn testimony from its executives. Additionally, the Bureau has also failed to develop previously planned tests of how Equifax protects data. If true, this inaction flies in the face of the CFPB’s responsibility to protect consumers. It is a rejection of CFPB’s authority to act in response to the failure of institutions to engage in reasonable data security practices in connection with the collection and maintenance of consumer report information.
Consumers must have faith that entities which house personally identifiable information such as addresses, Social Security Numbers, and other sensitive information are using industry best practices to secure this data. The immense scale of the breach combined with Equifax’s failure to alert the public for six weeks endangered the privacy of millions of consumers. During this time, three Equifax executives sold nearly $2 million worth of the company’s shares. The data breach also exposed the company’s lax data security. By slowing down or halting CFPB’s investigation into the Equifax data breach, the Bureau is sending a signal to both businesses and consumers that there will be no consequences to future data breaches.
We urge you to continue CFPB’s investigation into the Equifax data breach that was started under your predecessor. According to a statement released by your senior advisor John Czwartacki, “CFPB is working with [your] partners across government on Equifax’s data breach and response.” To that end, please provide us with answers to the following questions:
1) What decisions have you personally made regarding CFPB’s investigation into the Equifax data breach?
2) Has CFPB assessed whether Equifax has complied with federal consumer financial laws?
3) What agencies is CFPB working with regarding Equifax’s data breach and response?
4) Has CFPB declined offers by the Federal Reserve, Federal Deposit Insurance Corp, or Office of the Comptroller of the Currency to help with on-site exams of credit bureaus?
5) Will CFPB by itself or in conjunction with partner agencies conduct on-the-ground tests of how Equifax protects data? If so, when do you expect these tests to occur?
6) Does CFPB plan to seek sworn testimony from Equifax executives prior to closing this matter?
7) What steps has CFPB taken or does CFPB plan to take in looking into the Equifax data breach?
8) Has CFPB communicated with credit reporting agencies regarding their business practices to prevent future breaches and consequential harm to the public?
Thank you for your attention to this matter.