In the wake of the massive Equifax data breach, New York’s Governor Andrew Cuomo is proposing regulations to hold credit-reporting agencies accountable and put them under the watchful eye of the Empire State’s Department of Financial Services (DFS).
On Monday, Cuomo directed the DFS to issue new regulations requiring credit reporting agencies to register with the state and comply with its first-in-the-nation cybersecurity standard for banks and other financial institutions.
The proposed annual reporting obligation would also provide the DFS Superintendent with the authority to deny and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers “if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive, or predatory practices,” Cuomo’s office said in a statement.
Among other requirements, the regulation would prohibit credit bureaus from “making any false statement or [making] any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.”
In the statement introducing the regulation, Cuomo said: “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
On Sept. 7, Equifax, a $3.3 billion company, disclosed that its computer systems had been breached by hackers, exposing the personal data of 143 million Americans. Equifax discovered the data breach on July 29, but the first in a series of breaches had occurred as early as two months before that date.
New York’s proposed regulations would also require every credit reporting agency to comply with DFS’s cybersecurity regulations.
Those rules, which took effect on March 1, 2017, require banks, insurance companies, and other financial services companies regulated by DFS to have a cybersecurity program designed to protect consumers’ private data. The companies must also have a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
The proposed regulations for credit reporting agencies are subject to a public comment period before they become final.
The registration requirement as proposed would mean consumer credit reporting agencies would have to register with DFS beginning on or before February 1, 2018. Compliance with the cybersecurity regulations would be based on a phased-in schedule, starting April 4, 2018.