Sen. Amy Klobuchar (D-Minn.) is urging the Federal Trade Commission to increase resources dedicated to its investigation of Equifax.
Equifax announced in September 2017 that a security breach had exposed the names, Social Security numbers, birth dates and addresses of as many as 145 million Americans.
Klobuchar’s letter to the FTC follows published reports indicating that Office of Management and Budget Director Mick Mulvaney directed Consumer Financial Protection Bureau investigators to pull back from their investigation of Equifax. Mulvaney serves as acting director of the CFPB.
The attack falls under the jurisdiction of several federal agencies, including the FTC, the CFPB, and the Department of Justice, each of which announced investigations shortly after the breach occurred. While the investigation by DOJ will seek to uncover any criminal wrongdoing, “thorough civil investigations are also essential for identifying the missteps that rendered Equifax’s data vulnerable to such widespread exploitation and determining the necessary corrective actions,” Klobuchar says, calling Mulvaney’s decision “inexplicable.”
News reports (notably Reuters, that broke the story) allege that at Mulvaney’s direction the CFPB’s investigation “has been almost completely stalled, as investigators have failed to take routine investigative measures such as ordering subpoenas or seeking sworn testimony from Equifax executives,” Klobuchar wrote in her letter to the FTC. “In light of this concerning development, I urge the FTC to consider increasing the resources and manpower dedicated to its own investigation of the Equifax breach. The FTC is well-positioned to investigate this matter and its effect on consumers and Director Mulvaney’s actions suggest that FTC may be the only independent federal agency left undertaking a thorough civil investigation. A full and fair FTC investigation now appears to be the only way that we will determine the steps needed to prevent similar attacks in the future.”
In recent years, the FTC has positioned itself as a go-to regulator data breaches, especially if customer assurances of effective security were false, misleading, or unreasonable.