Equifax announced on September 7, 2017 a massive data breach affecting an estimated 143 million consumers.  Richard Cordray, the then Director of the CFPB, shortly thereafter authorized an investigation according to several media reports.  Reuters reported Monday that the investigation sputtered since then, according to several government and industry sources.  That is not surprising since there is substantial doubt as to whether the CFPB has enforcement jurisdiction over data breaches.  See our March 3, 2016 blog about the one and only data security enforcement action taken by the CFPB.  Professor Jeff Sovern acknowledged Monday in the Consumer Law and Policy Blog that “the CFPB has very limited jurisdiction over the Equifax data breach, if it has any jurisdiction anyway….”

Equifax is reportedly being investigated by every state attorney general and the FTC and is facing an onslaught of class actions.  So even though the CFPB appears not to be involved in the Equifax matter, this has not stopped the FTC and the state attorneys general from aggressively pursuing their own investigations. 

×