Equifax Breach Spurs Effort to Extend NY Cybersecurity Regulations to Credit Reporting Agencies
In the wake of the massive data breach involving Equifax, New York Gov. Andrew Cuomo announced he wants to extend the state’s new cybersecurity regulations to cover credit reporting agencies. The state’s cybersecurity and data protection rules, which currently apply to banks, insurance companies, and other financial institutions, are among the most comprehensive in the country.
As readers are most certainly aware, Equifax recently announced that a data breach may have impacted 143 million U.S. consumers, putting their Social Security numbers, birth dates, addresses, and some driver’s license numbers at risk. Not surprisingly, the breach has triggered investigations by state and federal agencies, as well as private lawsuits by consumers. In New York, it may also prompt new regulations.
DFS Cybersecurity Regulations
New York’s Department of Financial Services’ (DFS) cybersecurity regulations took effect on March 1, 2017. Pursuant to 23 NYCRR Part 500, financial service companies must “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The programs must address five key areas: identification of cyber risks; implementation of policies and procedures to protect unauthorized access/use or other malicious acts; detection of cybersecurity events; responsiveness to identified cybersecurity events to mitigate any negative events; and recovery from cybersecurity events and restoration of normal operations and services.
The cybersecurity requirements for financial services companies also mandate that covered entities implement cybersecurity policies that are tailored to their unique risks and needs. Covered entities must also appoint a chief information security officers to implement and enforce such policies. Other requirements under the regulation include: adopting policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; requiring multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access; drafting an incident response plan to recover from any cybersecurity event; and conducting annual penetration testing and vulnerability assessments.
Proposed Regulations for Credit Reporting Agencies
A proposed regulation has already been introduced in New York that would bring credit reporting companies under the purview of the state’s new cybersecurity rules and require them to register with the state. In support of the need to increase oversight over credit reporting agencies, the regulation cites several “deficient practices” including (1) the failure of consumer credit reporting agencies to safeguard consumer data; (2) the failure of consumer credit reporting agencies to maintain accurate consumer credit data; and (3) the failure of consumer credit reporting agencies to appropriately investigate consumer disputes of alleged inaccuracies in credit reports.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyber attacks and other nefarious acts in this rapidly changing digital world” Gov. Cuomo said in a statement. “The Equifax breach was a wake-up call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulation, the term “consumer reporting agency” means “any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports or investigative consumer reports to third parties.” Below are several other key provisions proposed:
Registration: Consumer credit reporting agencies reporting on any consumers located in the State of New York would be required to register with the Superintendent of Financial Services (Superintendent). Registration would be required by February 2018. Going forward, consumer credit reporting agencies would be subject to examination. In addition, the superintendent would be authorized to refuse to renew a consumer credit reporting agency’s registration “if, in the superintendent’s judgment, the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that any of the foregoing has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.”
Prohibited Practices: The regulation would prohibit credit agencies from engaging in certain practices. They would include: directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer; engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State; and including inaccurate information in any consumer report relating to a consumer located in New York State. If found to have engaged in prohibited practice or otherwise violated the regulation, the superintendent could refuse to renew, revoke, or may suspend the credit reporting agency’s registration.
Cybersecurity Compliance: Consumer credit reporting agencies would be considered a “covered entity” under the state’s financial cybersecurity rules.
Compliance with various provisions would be phased in over time, with full compliance set for October 4, 2019.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work.
Dissolving Your Business: Essential Legal Steps to Protect Your Interests
If you’re considering closing your business, it’s crucial to understand that simply shutting your doors does not end your legal obligations. Unless you formally dissolve your business, it continues to exist in the eyes of the law—leaving you exposed to ongoing liabilities such as taxes, compliance violations, and potential lawsuits. Dissolving a business can seem […]
The Role of Corporate Restructuring in Mergers & Acquisitions
Contrary to what many people think, corporate restructuring isn’t all doom and gloom. Revamping a company’s organizational structure, corporate hierarchy, or operations procedures can help keep your business competitive. This is particularly true during challenging times. Corporate restructuring plays a critical role in modern business strategy. It helps companies adapt quickly to market changes. Following […]
Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public
Cryptocurrency intimidates most people. The reason is straightforward. People fear what they do not understand. When confusion sets in, the common reaction is either to ignore the subject entirely or to mistrust it. For years, that is exactly how most of the public and even many in law enforcement treated cryptocurrency. However, such apprehension changed […]
Understanding Chattel Paper: A Key Component in Secured Transactions
Using chattel paper to obtain a security interest in personal property is a powerful tool. It can ensure lenders have a legal claim on collateral ranging from inventory to intellectual property. To reduce risk and protect your legal rights, businesses and lenders should understand the legal framework. This framework governs the creation, sale, and enforcement […]
For years, digital assets operated in a legal gray area, a frontier where innovation outpaced the reach of regulators and law enforcement. In this early “Wild West” phase of finance, crypto startups thrived under minimal oversight. That era, however, is coming to an end. The importance of crypto compliance has become paramount as cryptocurrency has […]
Supreme Court and Title VII: Implications for Reverse Discrimination
Earlier this month, the U.S. Supreme Court issued a decision in Ames v. Ohio Department of Youth Services vitiating the so-called “background circumstances” test required by half of federal circuit courts.1 The background circumstances test required majority group plaintiffs pleading discrimination under Title VII of the Civil Rights Act to meet a heightened pleading standard […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
