(Reuters)

The Department of Financial Services has subpoenaed Equifax over a cybersecurity breach that may have compromised the personal information of 143 million Americans, including 8 million New Yorkers.

At a hearing before the State Senate in Albany Thursday, DFS Superintendent Maria Vullo confirmed reports that the agency, which regulates the banking and insurance industry in New York, subpoenaed the credit-reporting agency seeking more information about the security breach.

“It simply is unacceptable for a company that profits from consumers’ private information to fail to have adequate protections. As I said, the facts about what happened at Equifax are still unfolding, and DFS is investigating this matter thoroughly on behalf of the people of this state,” Vullo said.

Clark Russell, the deputy bureau chief of the bureau of internet and technology at the New York Attorney General’s Office, told the panel that the office received 1,300 data breach notices in 2016, up 60 percent from the previous year.

Attorney General Eric Schneiderman’s office is also investigating Atlanta-based Equifax’s breach, which occurred between mid-May and July (NYLJ, Sept. 8). Earlier this month, Schneiderman’s office sent a letter to the credit-reporting company seeking more information about the breach, where intruders got unauthorized access to individuals’ names, Social Security numbers, birthdays, addresses and driver’s license numbers.

At the hearing focused on identity theft held by the State Senate’s consumer protection committee, Schneiderman’s office said that while the Equifax breach is “unique,” it’s an “escalation of a disturbing trend.”

Russell implored the state Legislature to update the state’s data security laws. “We all need to do more,” he said.

“The law should require that all entities that collect or store private information have reasonable security measures. It may be surprising to learn that there is no statutory law requiring a company to maintain ‘reasonable data security,’ except if it collects Social Security numbers, or if the company is in the health care or the financial industry and governed by a specific regulatory framework,” he added.

Earlier this month, DFS proposed new regulations that would subject consumer credit-reporting agencies to the same cybersecurity rules that the state recently enacted for banks and insurance companies (NYLJ, Aug. 25). Under the rules, which are subject to a 45-day public comment period, credit-reporting agencies, such as Equifax, TransUnion and Experian, would have to register with the state beginning in February and have a DFS-approved plan to deter cyberattacks.