Equifax is expecting various forms of punishment from the Consumer Financial Protection Bureau and the Federal Trade Commission over the credit reporting agency’s massive data breach that exposed the personal information of 148 million U.S. consumers to hackers.
The company revealed the expected sanctions in a recent filing with the Securities and Exchange Commission.
According to Equifax, the CFPB and FTC have both notified the company that they expect to seek “injunctive relief damages” in regards to the data breach. Beyond that, the CFPB plans to seek “civil money penalties,” the company said.
The company added that it has submitted written responses to both agencies addressing the allegations, and said that it continues to cooperate with the agencies in their investigations.
The company did not provide an expected timeline for when the potential punishment will be announced, but the fact that the CFPB is seeking to fine the company for the breach represents a shift from the bureau’s recent actions in the case.
A little over a year ago, it was reported that the CFPB, under interim Director Mick Mulvaney, was not pursuing Equifax with the same vigor that the bureau likely would have under former Director Richard Cordray.
Shortly after Equifax first revealed the data breach, the CFPB said that it would begin looking into the breach, but Reuters later reported that Mulvaney’s CFPB had pulled back from investigating the breach.
According to Reuters, the CFPB also reportedly “rebuffed” offers to help conduct exams of the credit reporting agencies from the Federal Reserve, the Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency.
At the time, several prominent Democratic Senators blasted Mulvaney’s reported pullback, with Sen. Elizabeth Warren, D-Mass., calling the move a “middle finger” to consumers.
Now, it appears that the tide has turned, at least somewhat, with the CFPB supposedly planning a fine. How much of a fine remains to be seen, however.
Beyond that, Equifax said that the New York Department of Financial Services notified the company that it is considering recommending taking legal action against the company, potentially seeking “consumer relief and civil money penalties” in the action.
The FTC launched its own investigation into Equifax after the breach was first exposed, and that action seems to be nearing its end as well, but those are hardly the only agencies and parties that are pursuing Equifax over the breach.
According to Equifax’s SEC filing, the following agencies are investigating the breach: 48 state Attorneys General offices, the District of Columbia, the FTC, the CFPB, the SEC, the Department of Justice, other U.S. state regulators, certain Congressional committees of both the Senate and House of Representatives, the Office of the Privacy Commissioner of Canada, and the U.K.’s Financial Conduct Authority.
The company is also facing a number of lawsuits from cities, shareholders, and more than 1,000 lawsuits from consumers over the breach.
“Although we are actively cooperating with the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations,” the company said in its SEC filing.