New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year. The move is in response to the massive Equifax breach disclosed on September 7, 2017.
"In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue new regulation making credit reporting agencies to register with New York for the first time and comply with this state's first-in-the-nation cybersecurity standard," says the statement.
"A person's credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security," Governor Cuomo said. "Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation."
In the proposed new regulation (PDF), Maria T. Vullo, Superintendent of Financial Services, makes it clear that her department has been monitoring 'the deficient practices' of credit reporting companies (such as Equifax, Experian and TransUnion). She cites failure to safeguard consumer data; failure to maintain accurate data; and failure investigate alleged inaccuracies.
Her proposed solution is to require the credit companies to register with the DFS, to comply with certain prohibited practices, and to comply with the regulations introduced in DFS 500. Failure to comply with this new regulation (23 NYCRR 201) could lead to the revocation of the credit company's authorization to do business with New York's regulated financial institutions and consumers -- effectively making it impossible to carry on.
"The data breach at Equifax demonstrates the necessity of strong state regulation like New York's first-in-the-nation cybersecurity actions," said Financial Services Superintendent Maria T. Vullo. "This is one necessary action of several that DFS will take to protect New York's markets, consumers and sensitive information from criminals."
It is thought that 8 million New Yorkers may be affected by the Equifax breach.
'First-in-the-nation' is how New York describes the DFS 500 regulation. Its two key requirements are that regulated companies (covered entities) must employ a chief information security officer, and that they must deliver an annual cybersecurity report signed off by the board with a certification document to the DFS. The CISO "shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body." This will effectively be a statement on how the regulation is implemented, including details on 'material Cybersecurity Events'.
The process effectively makes the DFS the final arbiter on the adequacy of the regulated companies' cybersecurity policies; and the new proposal brings credit reporting agencies in line with the requirements for the regulated financial services organizations.
The proposed new regulation also introduces a new range of prohibitions on credit reporting agencies designed to protect consumers. These prohibit "any unfair, deceptive or predatory act or practice toward any consumer... violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act..." and "Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency."
Cuomo makes it clear that he hopes that other states will follow with their own similar regulations on credit companies. This puts New York state in direct opposition to the perceived federal preferences of the Trump administration -- which would prefer to ease regulatory restrictions on business. Cuomo believes that tighter regulations are required to protect consumers, rather than looser regulations to promote business.
The new regulation will likely be subject to a public comment period. However, under the current proposal, credit reporting agencies will be required to register with the DFS by February 1, 2018, and annually thereafter. The DFS 500 cybersecurity regulation will need to be implemented on a staggered basis, but the credit companies will need to be in full compliance by October 4, 2019.