Equifax Breach Spurs Effort to Extend NY Cybersecurity Regulations to Credit Reporting Agencies
In the wake of the massive data breach involving Equifax, New York Gov. Andrew Cuomo announced he wants to extend the state’s new cybersecurity regulations to cover credit reporting agencies. The state’s cybersecurity and data protection rules, which currently apply to banks, insurance companies, and other financial institutions, are among the most comprehensive in the country.
As readers are most certainly aware, Equifax recently announced that a data breach may have impacted 143 million U.S. consumers, putting their Social Security numbers, birth dates, addresses, and some driver’s license numbers at risk. Not surprisingly, the breach has triggered investigations by state and federal agencies, as well as private lawsuits by consumers. In New York, it may also prompt new regulations.
DFS Cybersecurity Regulations
New York’s Department of Financial Services’ (DFS) cybersecurity regulations took effect on March 1, 2017. Pursuant to 23 NYCRR Part 500, financial service companies must “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The programs must address five key areas: identification of cyber risks; implementation of policies and procedures to protect unauthorized access/use or other malicious acts; detection of cybersecurity events; responsiveness to identified cybersecurity events to mitigate any negative events; and recovery from cybersecurity events and restoration of normal operations and services.
The cybersecurity requirements for financial services companies also mandate that covered entities implement cybersecurity policies that are tailored to their unique risks and needs. Covered entities must also appoint a chief information security officers to implement and enforce such policies. Other requirements under the regulation include: adopting policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; requiring multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access; drafting an incident response plan to recover from any cybersecurity event; and conducting annual penetration testing and vulnerability assessments.
Proposed Regulations for Credit Reporting Agencies
A proposed regulation has already been introduced in New York that would bring credit reporting companies under the purview of the state’s new cybersecurity rules and require them to register with the state. In support of the need to increase oversight over credit reporting agencies, the regulation cites several “deficient practices” including (1) the failure of consumer credit reporting agencies to safeguard consumer data; (2) the failure of consumer credit reporting agencies to maintain accurate consumer credit data; and (3) the failure of consumer credit reporting agencies to appropriately investigate consumer disputes of alleged inaccuracies in credit reports.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyber attacks and other nefarious acts in this rapidly changing digital world” Gov. Cuomo said in a statement. “The Equifax breach was a wake-up call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulation, the term “consumer reporting agency” means “any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports or investigative consumer reports to third parties.” Below are several other key provisions proposed:
Registration: Consumer credit reporting agencies reporting on any consumers located in the State of New York would be required to register with the Superintendent of Financial Services (Superintendent). Registration would be required by February 2018. Going forward, consumer credit reporting agencies would be subject to examination. In addition, the superintendent would be authorized to refuse to renew a consumer credit reporting agency’s registration “if, in the superintendent’s judgment, the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that any of the foregoing has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.”
Prohibited Practices: The regulation would prohibit credit agencies from engaging in certain practices. They would include: directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer; engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State; and including inaccurate information in any consumer report relating to a consumer located in New York State. If found to have engaged in prohibited practice or otherwise violated the regulation, the superintendent could refuse to renew, revoke, or may suspend the credit reporting agency’s registration.
Cybersecurity Compliance: Consumer credit reporting agencies would be considered a “covered entity” under the state’s financial cybersecurity rules.
Compliance with various provisions would be phased in over time, with full compliance set for October 4, 2019.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work.
Supreme Court and Title VII: Implications for Reverse Discrimination
Earlier this month, the U.S. Supreme Court issued a decision in Ames v. Ohio Department of Youth Services vitiating the so-called “background circumstances” test required by half of federal circuit courts.1 The background circumstances test required majority group plaintiffs pleading discrimination under Title VII of the Civil Rights Act to meet a heightened pleading standard […]
Special purpose acquisition companies (better known as SPACs) appear to be making a comeback. SPAC offerings for 2025 have already nearly surpassed last year’s totals, with additional transactions in the pipeline. SPACs last experienced a boom between 2020–2021, with approximately 600 U.S. companies raising a record $163 billion in 2021. Notable companies that went public […]
Short Form Merger: Streamlining the Process for Businesses
Merging two companies is a complex legal and business transaction. A short form merger, in which an acquiring company merges with a subsidiary corporation, offers a more streamlined process that involves important corporate governance considerations. A short form merger, in which an acquiring company merges with a subsidiary corporation, offers a more streamlined process. However, […]
Tariff Response Options for Small Businesses Facing Financial Distress
The Trump Administration’s new tariffs are having an oversized impact on small businesses, which already tend to operate on razor thin margins. Many businesses have been forced to raise prices, find new suppliers, lay off staff, and delay growth plans. For businesses facing even more dire financial circumstances, there are additional tariff response options, including […]
Common Causes of Partnership Disputes and How to Resolve Them
Business partnerships, much like marriages, function exceptionally well when partners are aligned but can become challenging when disagreements arise. Partnership disputes often stem from conflicts over business strategy, financial management, and unclear role definitions among partners. Understanding Business Partnership Conflicts Partnership conflicts place significant stress on businesses, making proactive measures essential. Partnerships should establish detailed […]
Businesses Are Facing Financial Headwinds—A Practical Guide
*** The original article was featured on Bloomberg Tax, April 28, 2025 — As a tax attorney who spends much of my time helping people and companies who have large, unresolved issues with the IRS or one or more state tax departments, it often occurs to me that the best service that I can provide […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
