While President Donald J. Trump has pledged to cut back government red tape, White House press secretary Sarah Huckabee Sanders said Monday that the severity of the Equifax breach could mean more rules are needed. She said the administration will look at the situation “extensively,” and that Trump's homeland security adviser Tom Bossert will lead efforts to respond to the hack.

Equifax is among a handful of companies that control data such as credit histories that banks rely on to assess whether consumers should get loans. The Atlanta-based company said Sept. 7 that the compromised information includes Social Security numbers, driver's license records and birth dates. It faces multiple state and federal investigations, and at least one multibillion-dollar class action lawsuit.

Unlike banks, Equifax and competitors TransUnion and Experian don't have multiple regulators constantly looking over their shoulders. The Federal Reserve and Office of the Comptroller of the Currency, for example, have teams of supervisors assigned to specific lenders. The officials have daily responsibilities for monitoring any transactions and weaknesses in computer systems that could threaten financial stability.

Before the CFPB begin policing the industry in 2012, it faced almost no federal oversight. The Federal Trade Commission has authority to sanction the companies for failing to protect consumers, but it doesn't engage in proactive monitoring. Durbin said that the size of penalties the FTC is allowed to impose aren't big enough to adequately punish a breach on the scale of Equifax's.

Equifax Sanction

Much of the CFPB's scrutiny of Equifax and its rivals has been on trying to ensure that credit reports are based on accurate data and that the firms are properly responding to consumer complaints. At least publicly, less of the agency's focus has been on cybersecurity. The CFPB is led by Director Richard Cordray, who was appointed by former President Barack Obama.

In January, the consumer bureau accused Equifax and TransUnion of misleading consumers about credit products they had sold them. Without admitting or denying the allegations, Equifax agreed to provide almost $3.8 million in restitution to affected consumers, while paying a $2.5 million fine. The CFPB has said it is investigating Equifax's data breach as well as the company's response.

The CFPB has authority to make sure financial companies maintain standards to keep customer information safe. The agency brought its first cybersecurity case last year, fining online payment company Dwolla Inc. $100,000 for allegedly deceiving companies about how secure its systems were. The settlement could provide a roadmap for how the agency deals with Equifax's breach.

Lawmakers have repeatedly tried to tighten restrictions for how companies report consumer breaches and to expand cybersecurity protections—with limited success in the face of intense corporate lobbying. Treasury Secretary Steven Mnuchin signaled Tuesday that the White House and Congress might have to revisit such issues, including what “liability and responsibility” companies should have over hacks.

“Americans shouldn't expect these things to happen, and the current situation is obviously quite unfortunate,” Mnuchin said at CNBC's Delivering Alpha conference in New York. “This is not something that the private sector can do alone, and this is not something that the government can do alone.”

Bank Losses

When criminals get access to consumer data and use it to commit identify theft, it's banks and credit unions that often bear the brunt of financial losses. Lenders also face costs associated with managing the fallout of a breach, such as reissuing new credit cards and managing consumer complaints. The Equifax breach has reinvigorated calls for Congress to create national standards to ensure all companies are adequately protecting data.

“It's time for companies who lose consumer data or do not protect it to be held responsible,” said Dan Berger, president of the National Association of Federally-Insured Credit Unions. “I think you're going to see Congress really take a closer look at this.”

Democrats have used the Equifax breach to push a number of policy goals, including their desire to impose new requirements on companies' tracking of consumer data and to remove barriers to customer lawsuits. On Monday, a group of lawmakers led by Sen. Brian Schatz, a Hawaii Democrat, reintroduced legislation that would make it easier for consumers to deal with identify theft and mistakes in their credit reports.

Multiple congressional committees have called for hearings and sought information from Equifax to try to get to the bottom of what happened. While Republicans have been less vocal than Democrats in demanding more rules, they have said they want to know went wrong and whether Equifax violated any laws.

“This event certainly is striking,” U.S. Rep. Patrick McHenry, the North Carolina Republican who is vice chairman of the House Financial Services Committee, said in an interview “These companies should be better, they should protect our data in much stronger forms and any failure to do that, we should have a broader discussion about how we improve this market.”

Bloomberg News

Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.