2017 has proven to be a rough year for consumer credit reporting giant Equifax. In March and then again in May, the company’s customer data was compromised, making the social security numbers, addresses, drivers license numbers, and other identifying data of 143 million U.S. citizens, along with as many as 44 million U.K citizens and another 100,000 Canadians available to an as-yet unknown criminal or group.
Equifax underwent a 13 percent drop in share price immediately following news of the scandal and numerous lawsuits have sprung up in response to their negligence. A case set to come from California law firm Geragos & Geragos poses the greatest financial threat to the company, as the firm indicated they would seek upwards of $70 billion in damages, a figure unprecedented in the U.S.’s history of class-action lawsuits.
More important, however, is the anticipated reaction of government agencies to Equifax’s clear negligence. The security breach was accomplished through a well-known and subsequently patched vulnerability in Apache Struts, a common piece of web application software. The patch was released on March 7th, well before May’s attack and data theft. Victims and commentators alike are awaiting the Consumer Financial Protection Bureau (CFPB) to weigh in as Equifax’ precise business classification has raised questions over whether or not the government agency has the legal authority to penalize the company.
A CFPB investigation Equifax breach may be possible because they are not, strictly speaking, a financial company. Both the Department of Justice and the Federal Trade Commission are already involved as Equifax is legally accountable to at least five laws that impact listed companies, including those that govern customer data use and fair treatment. The CFPB’s justification for action would hypothetically be 2010’s Dodd-Frank Act.
The Dodd–Frank Wall Street Reform and Consumer Protection Act was issued in response to 2008’s widespread financial crisis and sought to bring on widespread financial reforms to Wall Street, while also establishing new protections for consumers. Title X of the legislation established the CFPB and it would seem that Equifax’ missteps fall within the bureau’s purview. Specifically, Equifax’ actions may be classified as acts and practices deemed unfair, deceptive, or abusive (UDAAP) and thus qualify them for investigation according to the powers given to the CFPB by the Dodd-Frank Act.
This wouldn’t be the first time that the CFPB dealt with Equifax, as this January the bureau issued fines against the credit reporting company for allegedly misleading customers on both the cost and usefulness of credit score information. Given this history and the vague nature of the CFPB’s UDAAP powers, an investigation is possible, if not likely.