Following the massive security breach at Equifax Inc. disclosed earlier this month, New York Gov. Andrew Cuomo on Monday proposed new regulations that would subject consumer credit reporting agencies to the same cybersecurity rules that the state recently enacted for banks and insurance companies.
Under the proposed rules, credit reporting agencies such as Equifax, TransUnion and Experian would have to register with the state Department of Financial Services beginning in February and every year thereafter. Their registration form would also have to include the agency’s officers or directors who would be responsible for compliance with the recently enacted regulations aimed at deterring cyberattacks on the financial services industry (NYLJ, Aug. 25)
The state’s cybersecurity regulations, billed as the first in the nation, require banks and insurance companies regulated by DFS to have department-approved plans to deter cyberattacks and report any attacks within 72 hours of when they occur to the department, but the existing rules didn’t cover consumer credit reporting agencies. Under the proposed regulations announced by Cuomo on Monday—which are slated to appear in the State Register on Oct. 4 and are subject to a public comment period—credit reporting agencies would have to comply with the regulations on a phased-in schedule beginning April 4.
The announcement of the proposed new regulations comes roughly two weeks after Atlanta-based Equifax announced Sept. 7 that hackers had gained access to sensitive personal information of roughly 143 million Americans and 209,000 individuals’ credit card numbers. The breach lasted from mid-May through July, highlighting the lack of comprehensive regulatory oversight for credit reporting agencies’s data security.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world” Cuomo said in a statement. “The Equifax breach was a wake-up call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
The proposed regulation would give the DFS superintendent broad latitude to deny and possibly revoke a credit reporting agency’s authorization to do business with New York regulated financial institutions and customers if the agency is found to be out of compliance with prohibited practices, like deceptive and predatory practices. DFS Superintendent Maria Vullo may also examine credit reporting agencies to examination by the state agency as necessary. Credit reporting agencies would also be prohibited under state as well as federal law from engaging in any unfair, deceptive or abusive acts or practice in violation of Section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The regulations also prohibit credit reporting agencies from including inaccurate information in any consumer report related to a consumer located in New York and from including inaccurate information in any consumer report relating to a consumer located in New York state. The Federal Trade Commission and the Consumer Financial Protection Bureau regulate various aspects of the credit reporting business. The FTC made the rare disclosure last week that it is investigating the data breach.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Vullo in a statement. “This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals.”
Earlier this month, New York Attorney General Eric Schneiderman’s office opened up an investigation into the Equifax breach, which may have compromised the information of roughly 8 million New Yorkers (NYLJ, Sept. 8). Unlike other security breaches, like the one on Target in 2014, intruders in the Equifax breach got unauthorized access to consumers’ names, Social Security numbers, birthdays, addresses and driver’s license numbers.
Equifax is also under scrutiny for the sales of company stock three executives made on Aug. 1, which the company maintains the executives made without knowledge of the massive data breach. but which regulatory experts said raise questions. Equifax has retained King & Spalding’s Phyllis Sumner as lead defense counsel in the more than 70 class actions already filed over the breach, according to sources familiar with the matter.