The U.S. consumer finance watchdog agency is expected to punish Equifax for its cyber breach with the wide-ranging powers it has used with Wall Street, former agency officials and lawyers said this week. The credit-reporting company is subject to five federal laws governing listed companies, the use of public data and the fair treatment of customers, and the Federal Trade Commission and the Department of Justice are examining the hacking theft of personal information on up to 143 million people.

But because Equifax is not strictly a financial company, questions arose whether the Consumer Financial Protection Bureau, the agency created after the 2008 financial crisis, has the power to penalize the firm for the breach.

Legal experts said the CFPB is likely to weigh in using powers it wields under the 2010 Dodd-Frank Act.

Equifax is one of the country’s three major credit bureaus which, along with TransUnion and Experian PLC, gather data on consumer spending habits which is then purchased by banks to determine a customer's creditworthiness.

The CFPB and legal experts said the regulator could pursue Equifax under an aspect of the Dodd-Frank Act banning unfair, deceptive and abusive acts and practices (UDAAP).

The UDAAP provision does not specifically address cyber incidents, but because it is "very broad and very vague," the CFPB could argue Equifax breached the law, said Alan Kaplinsky of law firm Ballard Spahr.

Read the full article here. Subscription may be required.