As the Equifax data breach continues to reverberate—with multiple class actions filed, calls to revamp the credit reporting industry and new legislation proposed—even the arbitration rules of the Consumer Financial Protection Bureau (CFPB) may see an impact.

What happened

On Sept. 7, the credit reporting company disclosed that up to 143 million Americans had their personal information—including names, Social Security numbers, birth dates, addresses and driver’s license numbers—revealed when hackers gained unauthorized access to the company’s data between May and July 2017.

The fallout has been fast, furious and continuing. Almost two dozen putative class actions have already been filed across the country (so far). Oregon resident Mary McHill won the race to the courthouse with a complaint seeking “fair compensation” to ensure that consumers harmed by the breach will not be out of pocket for costs such as credit repair and monitoring services, while a group of small businesses led by O’Dell Properties, LLC, filed their own class action in Georgia federal court.

State attorneys general announced investigations, with Massachusetts AG Maura Healey filing the first lawsuit on Sept. 19. According to the complaint, Equifax failed to “develop, implement, or maintain a [comprehensive information security program] that met the minimum requirements of the [state’s] Data Security Regulations,” and otherwise violated state law by failing to adequately patch or otherwise secure its portal from a known vulnerability, keeping information about Massachusetts consumers in an unencrypted form in a part of its network accessible from the Internet, and neglecting to maintain multiple levels of security for consumer data.

AGs in other states are continuing to investigate the data breach, with New York Attorney General Eric T. Schneiderman sending letters to Equifax as well as the other major credit reporting companies, asking for detailed information on their security practices. New York’s Gov. Andrew Cuomo followed up by directing the state’s Department of Financial Services to issue a proposed rule that would require credit reporting agencies to register with the state and comply with the DFS’ cybersecurity requirements.

On the federal level, lawmakers have scheduled hearings with and demanded documents from Equifax, as well as requested investigations by federal agencies, asking the Department of Justice (DOJ) and the Securities and Exchange Commission to look into stock sales by three company executives who sold nearly $2 million worth of shares in Equifax after the company learned of the breach but before the news was made public.

Demonstrating just how significant the call for action has become, the Federal Trade Commission actually confirmed that the agency is investigating the data breach—an unheard-of move by the agency. “The FTC typically does not comment on ongoing investigations,” Peter Kaplan, the agency’s acting director of public affairs, said in a statement. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

Lawmakers also introduced a host of legislation, ranging from amendments to the Fair Credit Reporting Act to a revival of a bill that would establish a single, uniform national data breach notification standard to forgo the current patchwork of state laws.

Rep. Maxine Waters (D-Calif.) reintroduced her 2016 measure, the “Comprehensive Consumer Credit Reporting Reform Act,” which would, among other things, require credit reports to improve in accuracy, grant consumers greater access to the information credit reporting agencies have about them and provide legal remedies to consumers for FCRA violations. Sen. Brian Schatz (D-Hawaii) reintroduced his bill, titled “Stop Errors in Credit Use and Reporting (SECURE) Act,” which would make similar changes to the statute to increase oversight and regulation of the industry.

Other legislative efforts include the “Data Broker Accountability and Transparency Act” from Sens. Edward J. Markey (D-Mass.), Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.) and Al Franken (D-Minn.)—a measure that would prohibit the sale of consumer information for marketing purposes and allow consumers to access and correct their information—as well as a bill from Sen. Elizabeth Warren (D-Mass.) that would amend the FCRA “to enhance fraud alert procedures and provide free access to credit freezes.”

The breach may also have an impact on the CFPB’s final arbitration rule. The controversial rule—which would prohibit the use of mandatory predispute arbitration clauses—has already been the subject of repeal efforts by Congress. But Equifax’s initial response to the breach triggered renewed calls to support the rule.

When announcing the incident, the company promised consumers free credit file monitoring and identity theft protection, offering a form on its website for consumers to complete in order to determine if their information was hacked. But then news broke that the form also required consumers to waive their rights to a class action and agree to individual arbitration.

AG Schneiderman went on the offensive, contacting Equifax to contest the “unacceptable” and “unenforceable” language. The company clarified that the arbitration clause and class action waiver included in the website’s terms of use applied to its credit file monitoring and identity theft protection products—not the cybersecurity incident.

Backers of the CFPB’s arbitration rule pointed to the experience as further support for its enactment.

“This is just one more example why the [CFPB’s] rule banning forced arbitration is badly needed to protect the rights of working Americans,” Sen. Sherrod Brown (D-Ohio), ranking member of the Committee on Banking, Housing and Urban Affairs, said in a statement, with similar reaction from consumers groups like Public Citizen, which called it “one of the most brazen corporate wrongdoer maneuvers in memory.”

To read the complaint in McHill v. Equifax, Inc., click here.

To read the complaint in O’Dell Properties, LLC v. Equifax, Inc., click here.

To read the complaint in Massachusetts v. Equifax, Inc., click here.

Why it matters

The Equifax data breach continues to make headlines on a daily basis, weeks after it was disclosed, whether it is new legislation introduced in light of the scandal, another class action filed, or other legal wrangling from state or federal regulators. The bulk of the laws recently introduced are nonstarters that will not gain much traction in Congress, but the state AG actions—from the Massachusetts lawsuit to New York’s move to bring data brokers under the purview of the DFS’ cybersecurity rules—may have legs. Whether the brouhaha over Equifax’s attempt to impose arbitration moves the needle with regard to the CFPB’s final rule remains to be seen.