The Washington PostDemocracy Dies in Darkness

The FTC is investigating the Equifax breach. Here’s why that’s a big deal.

The Post's Brian Fung called Equifax to see if his data was compromised in the recent hack. Here are his calls. (Video: Jhaan Elker/The Washington Post)

The Federal Trade Commission said Thursday that it is investigating the massive data breach at credit reporting agency Equifax, adding the top U.S. consumer watchdog to the chorus of federal lawmakers and regulators expressing alarm over the unauthorized access of data belonging to 143 million people.

The FTC's disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country. And the move by the agency could signal a robust response from Washington.

“The FTC typically does not comment on ongoing investigations,” said Peter Kaplan, the agency's acting director of public affairs. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

It is unclear what aspects of the breach the agency is looking into. The FTC is broadly empowered to go after companies accused of misleading consumers with their public statements, or engaging in unfair business practices. It frequently investigates companies, but rarely does it acknowledge the existence of those investigations, leaving the public to find out about lawsuits and settlements only after they have been filed.

The FTC isn't the only federal agency looking closely at the Equifax incident. The Consumer Financial Protection Bureau has also said it is looking into the company's response to the breach. 

On the Hill, the leading members of the House's Energy and Commerce, Financial Services and Judiciary committees have all called for hearings on the matter. At least two congressional hearings on the Equifax breach have been announced. The first scheduled panel will take place on Oct. 3, when Equifax chief executive Richard Smith is expected to testify. A bipartisan group of 36 senators have asked the Department of Justice and the Securities and Exchange Commission to investigate reports that Equifax executives sold stock after learning about the breach but before it was made public.

The FTC's acting chairman, Maureen Ohlhausen, didn't respond to a request for comment. The agency's top Democrat, Terrell McSweeny, said she is “very concerned” about the size of the breach, as well as Equifax's response.

The FTC's move could provide momentum for Congress to act on data privacy legislation. While advocates and elected officials have long pushed for laws to protect consumers against data breaches, such efforts in recent years have stalled. But some say the scope of Equifax's breach, and the company's handling of the aftermath, will finally prompt a reaction from Washington.

“I don't think this is just going to quickly disappear with a couple of hearings on Capitol Hill,” said Gene Kimmelman, president of the consumer group Public Knowledge. “This is a little like Three Mile Island. You can't put the genie back in the bottle.”

Rep. Ted Lieu (D-Calif.) said in an interview with The Post that he is drafting two bills in response to the Equifax hack — one creating minimum data security standards for credit reporting agencies, and another that would bar firms from forcing victims of data breaches into arbitration.

“The scale of the breach and the delay before Equifax notified the public are not acceptable and I believe this breach will cause Congress to act,” Lieu said. “The breach exposed several deficiencies in our law.”

Sen. Ron Wyden (D-Ore.) and Rep. Jim Himes (D-Conn.) are advancing bills that would grant Americans the ability to freeze and unfreeze their credit for free.

And Sen. Mark Warner (D-Va.) told The Post he is working on reviving efforts to pass a data breach notification law, requiring companies to notify customers about a breach within a certain narrow time frame.

Equifax was widely criticized for waiting six weeks to disclose that it had been hacked. And even after the information was shared with the public, Equifax is not proactively informing consumers whether their sensitive data was compromised. Instead, anxious Americans have been directed to Equifax's help site and enter their name and the last 6 digits of their Social Security number to find out if their data may have been stolen.

“The hack was awful but then their response to the hack continued to show their incompetence,” said Warner, who thinks that the scope and potential damage from the Equifax breach sets it apart from previous hacks. “This should be a new impetus to move.”

According to Warner, partisan disagreement isn't what has blocked previous efforts to pass data security laws. Rather, it was different industries — from retail to financial institutions to telecom companies — clamoring for exemptions from the proposed law. But Warner said he would work to get these parties back to the negotiation table in the wake of Equifax.

Some are skeptical however that even a massive and egregious lapse of security affecting almost half the population will lead to congressional action.

“There will be hearings, yes. But as with everything in Washington, it's easier to stop something than to make something happen, and there are a lot of people who have doubts to any remedy that might be proposed,” said Stewart Baker, a former general counsel of the National Security Agency and assistant secretary for policy at the Department of Homeland Security. “It's easier to imagine a stalemate than adopting legislation.”

But some lawmakers are moving ahead.

On the Senate floor Thursday, Minority Leader Charles Schumer (D-N.Y.) described the Equifax breach as “one of the most egregious examples of corporate malfeasance since Enron.” Schumer said the company's chief executive and board of directors should step down unless they take five steps to correct their mishandling: notify affected consumers; provide free credit monitoring to them for at least 10 years, offer to freeze their credit for up to 10 years; remove forced arbitration clauses from their terms of use; and comply with fines or new standards that come out of investigations.

“It’s only right that the CEO and board step down if they can’t reach this modicum of corporate decency by next week,” he said.

Read more about Equifax: 

After the Equifax breach, here’s how to freeze your credit to protect your identity

I called Equifax with a simple question. This is what happened.

Equifax finally responds to swirling concerns over consumers’ legal rights