The interim head of the Federal Trade Commission division that traditionally conducts data security investigations has recused himself from the agency’s investigation into the Equifax Inc. breach because he previously represented the company while at the law firm Arnall Golden Gregory.
Thomas Pahl, a former partner at Arnall Golden in Washington, was named in February as the acting director of the FTC’s bureau of consumer protection—the same division that was behind the agency’s data security settlements with Ashley Madison and Wyndham Hotels and Resorts over massive data breaches.
In an email Thursday, Pahl confirmed he is “recused from working on matters involving Equifax because [of] my past representation of Equifax.”
Daniel Kaufman, one of his deputy directors, “will be taking my place on all such matters,” Pahl said. Kaufman joined the FTC in 1998 as a staff attorney in the consumer protection bureau’s division of advertising practices, where he litigated false advertising cases. Before being named a deputy director in December 2011, Kaufman also served as the consumer protection bureau’s chief of staff and as an adviser to former chairwoman Deborah Majoras.
The FTC publicly confirmed Thursday, in a rare move, that the agency was investigating the Equifax breach, which potentially compromised the personal information of 143 million Americans. Pahl’s consumer protection division oversees a broad swath of the FTC’s enforcement duties, cracking down on data security shortcomings, identity theft and deceptive advertising.
Pahl is the acting head because he serves at the discretion of the FTC’s current chairwoman, Maureen Ohlhausen, who is also leading the agency in an interim capacity as the Trump administration searches for a permanent leader.
Pahl’s return to the FTC in the Trump administration was a homecoming of sorts. Earlier, he’d served in other roles at the agency, beginning in 1990, including in the consumer protection bureau as assistant director in the divisions of advertising practices and financial practices. He has also worked at the Consumer Financial Protection Bureau.
“Tom’s career demonstrates his continuing commitment to protecting consumers through active enforcement and advocacy that promotes a free and honest marketplace,” Ohlhausen said in a statement in February. “His thoughtful approach will help ensure consumers benefit from thriving competition and innovation. Tom’s talent, deep consumer protection experience, and strong principles make him perfect to lead the Bureau of Consumer Protection, and I’m very pleased to have him aboard.”
Lobbying records reveal that Equifax paid Arnall Golden more than $2.5 million between 2011 and June of this year. Arnall Golden was first hired in February 2011 to advise Equifax on “issues impacting upon the credit reporting industry, such as credit header issues,” according to a lobbying registration.
Robert Belair, a partner at Arnall Golden who leads the firm’s privacy and consumer regulatory practice, has lobbied for Equifax on Capitol Hill ever since on legislation related to data security and breach notification, along with bills proposing new limits on the credit reporting agency’s primary regulator—the Consumer Financial Protection Bureau.
Since late 2016, Arnall Golden partner Montserrat Miller, a former counsel to U.S. Sen. Dianne Feinstein, has joined Belair in lobbying for Equifax.
The Equifax breach has drawn widespread outcry, not only for its scale but also for Equifax’s perceived delay in notifying the public. The credit reporting agency said it learned of the breach in late July but only announced it last week—a wait time that could throw fuel on Congress’ smoldering interest in establishing a national notification standard.
Two U.S. House of Representatives committees have announced plans to hold hearings on the breach, and numerous class actions are piling up.
The FTC said it was publicly announcing its investigation “in light of the intense public interest and the potential impact of this matter.”
The Equifax breach could give the FTC a platform like none other before to assert itself as the top cop on the cybersecurity beat, a status that has been contested in the courts but shown in the response to other notable hacks.
In December, the FTC joined with state attorneys general to reach a $1.6 million settlement with Ashley Madison, the dating site marketed to those looking to have affairs, over allegations connected to a 2015 data breach that exposed the account information of 36 million users.
A year before that settlement, Wyndham Hotels and Resorts agreed to establish a “comprehensive information security program” to resolve FTC allegations that the hospitality company’s cybersecurity shortcomings exposed the payment card information of hundreds of thousands of consumers.