In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, the state Department of Financial Services has proposed a regulation making credit-reporting agencies have to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard.
The annual reporting obligation also provides the DFS superintendent with the authority to deny and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Gov. Andrew Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wake-up call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulation, all consumer credit reporting agencies that operate in New York must register annually with DFS beginning on or before Feb. 1, 2018 and by Feb. 1 of each successive year for the calendar year thereafter. The registration form must include an agency’s officers or directors who will be responsible for compliance with the financial services, banking, and insurance laws, and regulations.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo. “This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals.”
The DFS Superintendent may refuse to renew a consumer credit reporting agency’s registration if the superintendent finds that the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that the agency has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.
The proposed regulation also subjects consumer reporting agencies to examinations by DFS as often as the superintendent determines is necessary, and prohibits agencies from the following:
• Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer.
• Engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York state.
• Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
• Including inaccurate information in any consumer report relating to a consumer located in New York state.
• Refusing to communicate with an authorized representative of a consumer located in New York state who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
• Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.
In addition, every credit reporting agency must comply with the department’s cybersecurity regulation, on phased in schedule of compliance, starting April 4, 2018.
DFS’s cybersecurity regulation requires banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.