The article notes that Equifax, one of the three largest credit bureaus in the U.S., must operate under the guidelines of five federal laws, including their use of public data, fair treatment of customers, and statutes under both the Federal Trade Commission and the Department of Justice.
But, due to the fact that Equifax isn’t entirely a financial company—they only provide information on consumer’s spending habits for banks to make judgements on credit solvency—many wonder whether or not the CFPB has the power to issue penalties for the breach.
The CFPB has taken action on Equifax before, in January, for “deceiving consumers about the usefulness and cost of credit score information,” Sam Gilbert, spokesman for CFPB Reuters. Experts expect that the bureau will use a statute that bars unfair, deceptive, and abusive practices (UDAAP) listed under the Dodd-Frank Act.
“Its Dodd-Frank mandate gives the CFPB authority to investigate Equifax even without cyber security rules,” Quyen Truong told Reuters, who is a partner at law firm Stroock & Stroock & Lavan and previously served as assistant director and deputy general counsel for the CFPB.
Under Dodd-Frank, the CFPB has the authority to fine companies violating the law up to $1 million per day, as well as demanding specific action or retribution for breaches.
You can find the full Reuters article here.