C!Congregg of tf)e 1tniteb ~tateg Ua~bington, 1Jqi: 20510 September 6, 2018 Joseph Simons Chaim1an Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, DC 20580 Mick Mulvaney Director Office of Management and Budget 725 17th Street, NW Washington, DC 20007 Dear Chairman Simons and Director Mulvaney: We are writing to bring your attention to a new Government Accountability Office ("GAO") report regarding the massive 2017 Equifax data breach, and to request information on the status of your agencies' investigations. 1 The new GAO report, which we released today, details how attackers exploited Equifax's significant vulnerabilities to gain unauthorized access to sensitive personal information belonging to more than 145 million Americans, and describes the initial actions taken by your agencies in response to this breach. The Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) have both publicly acknowledged opening investigations, but one day prior to the first anniversary of Equifax's public acknowledgement of the breach, neither agency has taken any public action to hold Equifax accountable for its failures. Equifax executives - including its Chief Security Officer and Chief Executive Officer - kept the public in the dark for more than a month after they found out about the security intrusion. On September 14, 2017, a week after the public disclosure, both the FTC and CFPB announced that they would exercise their statutory authority to investigate the breach and Equifax's response.2 No public enforcement actions have been taken by either agency in response to the breach. Credit Reporting Agencies (CRAs) should be given special attention by regulators because of the unique characteristics of the industry. As former CFPB Director Richard Cordray described, 1 Government Accountability Office, Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (Aug. 2018) (GA0- 18-559). 2 USA Today, "Equifax data breach: Feds start investigation," Roger Yu and Kevin McCoy, September 14, 2017, https://www. usatoday.corn/stoiy/rnoney/20 I 7/09/ 14/ftc-investigating-equi fax-over-data-breach/665 55000 I/. credit reporting agencies are "one of the markets where people camrot vote with their feet by choosi11g anotl1er provider iftl1cy are dissatisfied."3 Companies like Equifax do 11ot ask the American people- before they collect their most sensitive information. ·rhis information can determine their ability to access credit, obtai11 a job, secrne a 11ome loan, purchase a car, and i11ake dozens of other trairsactions that are critical to tl1eir personal financial security. Tlris is why effective oversight of these co1npai1ies by yo11r agencies is \'ital. and why the An1erican people deserve an update on your investigations. Jn April 2018, a letter fro1n Sen. Warren and her Senate colleagues was sent to Director Mulvaney requesting info1mation 011 tl1e CFPB's investigation4 amid disturbing reports that under his leaders11ip, the CFPB 11as stalled its i11quiry, failing to take even the 1nost preliminar:y investigative steps, and cuttit1g bacl< supervision of large consu1ner reporting agencies. 5 We have yet to receive a response. The letter accompanied the release of a staff report finding that the CFPB received nrore than 20,000 complaints regarding I~qt1ifax in the six inonths after the company annou11ced the data breach. 6 These consumer complaints included irnproper use of credit reports, incorrect information on credit reports, inadequate assistance in resolving problems, and problems with Equifax credit 1nonitoring, fraud alerts, and security ffeezes in the 7 wake of the breach. The last update received from the FTC regarding their investigation was in October 2017. The GAO report finds that ''Equifax detern1i11ed that several nrajor factors had facilitated the attackers' ability to successfully gain access to its network and extract infor1nation from databases containing PII;' ai1d that "lcey factors that "led to the breach were in the areas of 8 identification, detection, segn1entatio11, and data governance." Tl1is repo1i confirmed the findings of Sen. Wan·en's investigation wl1ich also revealed that Eqi1ifax 11ad advance notice of its vul11erabilities and still failed to take steps to protect the personal information of rnillio11s of . 9 A n1er1cans. The review also confi1ms that F'l'C a11d CF'JlB arc the two federal agencies with primary oversight over CRAs. The f"[C has authority over organizations that maintai11 consumer data under the Federal Trade Co111mission Act at1d can investigate a11d bring enforcement actions for 3 CFPB, "Prepared Re1narks ofCFPB Director Richard Cordray at the Consu1ner Adviso1y Board Meeting," March 02, 20 I 7, https://\V\V\V .consumerfinance.gov/about-usJnewsroom/prepared-remarks-cfub-director-ri chard-cordrayconsu1ner-advisory-board-1neet ing-march-20 l 7/. 1 ' Letter from Senator Elizabeth Wan·en, Senator Robert Menendez, and Senator Brian Schatz to Acting Director English and Director Mulvaney, April 30, 20 l 8. 5 Reuters, "Exclusive: ll.S. consumer protection official puts Equifax probe on ice," Patrick Rucker, February 5, 20 18, https ://v.'Vl'V>' .reuters.com/a1tic le/us-usa-equifax -c fpb/ ex cl us] ve-u-s-consumer-protection-o fficial-puts-equ i fax probe-on-ice-sources-idUSKBN I FPOIZ. 6 Office of Senators Wan·cn, Schatz and Menendez, "Breach of l'rust: CFPB's Complaint Database Shows Consun1ers Need Help Afier Equifax Breach," April 20 ! 8, https:1/www.wan·en.senate.gov/hno!tnedia/doc/Rreach%20of'Vo20Trusto/o20Equifax~lo20Report.pdf. 'Id. R Government Accountability Office, Data Protection: Actions Taken by Equ{fa.'C and Federal ..4gencies in Response 10 lhe 2017 Breach (Aug. 2018) (GA0-18-559). 9 Office of Sen. Elizabeth WatTen, "Bad Credit: lJncovering Equifax's Failure to Protect American's Personal Jnfonnation," February 2018, https://wv•iw. \varren.senate.gov/files/documents/20 l 8_ 2 _7_ 0/o20Equifax_Report.pdf ° violations of laws that protect consumer info1mation. 1 Further, FTC's at1thority under the Gramm-I,each-Bliley Act provides data security requirements tbr non-bank financial institutions, whicl1 i11cludes CRAs. 11 l'he FTC also has the responsibility for enforcing CRAs' compliance with the Fair Credit Repotting Act Under the Do'dd-Frank Wall Street Reforn1 at1d Consu1ner Protection Act, the CFPB has a statutot}' mandate to in1plement and enforce federal consun1er protection laws, including the Fair Credit Reporting Act. 12 CFPB has clear supervisory authority o\'er the largest consun1er reporting agencies, and CFPB has previously taken enforcement actions against CRAs for violations of tl1e Fair Credit Reporting Act, including bringing enforcement actions against CRAs for any unfair, deceptive, or abusive acts or practices. 13 The GAO report we released today confirrned that the breach was caused, in part, by numerous data secttrity failures on the patt of Equifax. In response to Congressional inquiry into your investigations, you reaffirmed your comn1itment to protecti11g consumer privacy, promoting data security, and lJsing yol1r agencies' authorities to address wrongdoing by CRAs. 14 Yet, to date, yol1r agencies appear to have take11110 definitive action to bold Eqtlifax accountable. Tl1erefore, I ask that you provide us will1 a stat1"..level briefing to provide an update 011 your agencies' investigations ai1d that you answer the following questions by Septe1nber 20, 2018: l. On September 14, 2018, both of your agencjes confirmed that investigations were opened to examine tl1e Equifax breach. 15 Are these investigations still ongoing? If not, why were i11vcstigations halted, and who directed that these i11vestigation be closed? 2. lf the investigation is ongoing, V1 ho is tl1e point of contact cl1rrently leading the Equifax investigation in your agencies? 1 3. ff your agency is conducting an investigation, please describe wl1at steps you agency has taken in furtherance oftl1e investigation. a. I-las your agency issued Civil Investigative Demands (ClDs)? b. I-las your agency interviewed Equit'ax personnel? c. I-las you agency exa1nined Equifax systems or gone onsite to Eql1ifa'X facilities? 4. Have yolJ conducted investigatio11s of or undertaken cybersecurity exa1ninations over any other CRA.s, including Experian and 'fransUnion, to identify whether these CRA.s are adequately protecting perso11al infonnation? If so, please describe your activities. ° Federal Trade Com1nission Act, 15 U.S.C. § 45(a). 1 LJ.S.C. § 68QJ(b). Dodd-Rank Wall Street Refonn and Consumer Protection Act, 12 U.S.C. § 5481(14). 13 Defining Larger Participants of the Consumer Reporting Market, 12 C.F.R. § I 090. l 01; GAO Report at I 0-1 ! . 14 Response letter to Fl'C re Equifax Breach, Septe1nber 27, 2017,http://thehill.com/policy/tcchno!ogy/373198-de1ncall-for-n1ore-action-on-eq uifax -hack. 15 USA 1'oday, "Equifax data breach: Feds start investigation," Roger Yu and Kevin McCoy, September 14, 2017, https: I /wv.'\V. usatoday. coin/storyhnoney/20 17/09/14/ftc-in vesti gal in g-equi fax -over-data-breach/665 5 5000 IJ. II]) 12 5. What other steps have your agencies taken to prevent future data breaches? Thank you for your prompt attention to this request. Sincerely, d States Senator cc Commissioner Maureen Ohlhausen Commissioner Noah Joshua Phillips Commissioner Rohit Chopra Commissioner Rebecca Slaughter Elijall:Cl;mmings Member of Congress