In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, New York Governor Andrew M. Cuomo has directed the New York Department of Financial Services (DFS) to issue new regulation making credit reporting agencies register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard.
The annual reporting obligation also provides the DFS Superintendent with the authority to deny and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said in a press release issued by DFS. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call, and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulation, all consumer credit reporting agencies that operate in New York must register annually with DFS beginning on or before February 1, 2018 and by February 1 of each successive year for the calendar year. The registration form must include an agency’s officers or directors who will be responsible for compliance with the financial services, banking and insurance laws and regulations.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-
in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo in the release. “This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals.”
Vullo may refuse to renew a consumer credit reporting agency’s registration if she finds that the applicant or any member, principal, officer or director of the applicant is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that the agency has given cause for revocation or suspension of registration or has failed to comply with any minimum standard.
The proposed regulation also subjects consumer reporting agencies to examinations by DFS as often as Vullo determines is necessary and prohibits agencies from the following:
- Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer.
- Engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresenting or omitting any material information in connection with the assembly, evaluation or maintenance of a credit report for a consumer located in New York State.
- Engaging in any unfair, deceptive or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
- Including inaccurate information in any consumer report relating to a consumer located in New York State.
- Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
- Making any false statement or any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.
In addition, every credit reporting agency must comply with the Department’s cybersecurity regulation, on phased-in schedule of compliance, starting April 4, 2018. DFS’s cybersecurity regulation requires banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers’ private data, a written policy or policies that are approved by the board or a senior officer, a Chief Information Security Officer to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
Source: New York State Department of Financial Services