New Cybersecurity Regulations for Credit Reporting Agencies

Following the Equifax breach, New York State has announced a proposed regulation for credit reporting agencies. According to the press release, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue a new regulation making credit reporting agencies to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard.

“Credit Rating Agencies Must Comply with New York’s First-in-the-Nation Cybersecurity Regulation”

“This Regulation Would Give the DFS Oversight of Credit  Reporting Agencies for the First Time Ever”

“DFS Superintendent May Deny or Revoke Agencies Authorization to Do Business with New York’s Regulated Financial Institutions and Consumers”

“A person’s credit history affects virtually every part of their lives and we will not sit idly by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles evaluates or maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018, and have in place a written cybersecurity program by April 4, 2018. The program must identify and assess internal and external cybersecurity risks that may threaten non-public information, including personally identifying consumer information. The program must include provisions that address data governance and classification, asset inventory and device management, access control and identity management, systems and network security and monitoring, as well as other mandated areas.

The proposed regulation also subjects consumer reporting agencies to examinations by DFS as often as the Superintendent determines is necessary, and prohibits agencies from the following:

• Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer.
• Engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State.
• Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
• Including inaccurate information in any consumer report relating to a consumer located in New York State.
• Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
• Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.

View the proposed regulation here