Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

What Does Recent Equifax Breach Mean For New York Cybersecurity Regulations?

Author: Scarinci Hollenbeck, LLC

Date: October 5, 2017

Key Contacts

Back

Equifax Breach Spurs Effort to Extend NY Cybersecurity Regulations to Credit Reporting Agencies

In the wake of the massive data breach involving Equifax, New York Gov. Andrew Cuomo announced he wants to extend the state’s new cybersecurity regulations to cover credit reporting agencies. The state’s cybersecurity and data protection rules, which currently apply to banks, insurance companies, and other financial institutions, are among the most comprehensive in the country.

What Does Recent Equifax Breach Mean For New York Cybersecurity Regulations?
Photo courtesy of Joshua Newton (Unsplash.com)

As readers are most certainly aware, Equifax recently announced that a data breach may have impacted 143 million U.S. consumers, putting their Social Security numbers, birth dates, addresses, and some driver’s license numbers at risk. Not surprisingly, the breach has triggered investigations by state and federal agencies, as well as private lawsuits by consumers. In New York, it may also prompt new regulations.

DFS Cybersecurity Regulations

New York’s Department of Financial Services’ (DFS) cybersecurity regulations took effect on March 1, 2017. Pursuant to 23 NYCRR Part 500, financial service companies must “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The programs must address five key areas: identification of cyber risks; implementation of policies and procedures to protect unauthorized access/use or other malicious acts; detection of cybersecurity events; responsiveness to identified cybersecurity events to mitigate any negative events; and recovery from cybersecurity events and restoration of normal operations and services.

The cybersecurity requirements for financial services companies also mandate that covered entities implement cybersecurity policies that are tailored to their unique risks and needs. Covered entities must also appoint a chief information security officers to implement and enforce such policies. Other requirements under the regulation include: adopting policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; requiring multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access; drafting an incident response plan to recover from any cybersecurity event; and conducting annual penetration testing and vulnerability assessments.

Proposed Regulations for Credit Reporting Agencies

A proposed regulation has already been introduced in New York that would bring credit reporting companies under the purview of the state’s new cybersecurity rules and require them to register with the state. In support of the need to increase oversight over credit reporting agencies, the regulation cites several “deficient practices” including (1) the failure of consumer credit reporting agencies to safeguard consumer data; (2) the failure of consumer credit reporting agencies to maintain accurate consumer credit data; and (3) the failure of consumer credit reporting agencies to appropriately investigate consumer disputes of alleged inaccuracies in credit reports.

“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyber attacks and other nefarious acts in this rapidly changing digital world” Gov. Cuomo said in a statement. “The Equifax breach was a wake-up call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulation, the term “consumer reporting agency” means “any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports or investigative consumer reports to third parties.” Below are several other key provisions proposed:

  • Registration: Consumer credit reporting agencies reporting on any consumers located in the State of New York would be required to register with the Superintendent of Financial Services (Superintendent). Registration would be required by February 2018. Going forward, consumer credit reporting agencies would be subject to examination. In addition, the superintendent would be authorized to refuse to renew a consumer credit reporting agency’s registration “if, in the superintendent’s judgment, the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that any of the foregoing has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.”
  • Prohibited Practices: The regulation would prohibit credit agencies from engaging in certain practices. They would include: directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer; engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State; and including inaccurate information in any consumer report relating to a consumer located in New York State. If found to have engaged in prohibited practice or otherwise violated the regulation, the superintendent could refuse to renew, revoke, or may suspend the credit reporting agency’s registration.
  • Cybersecurity Compliance: Consumer credit reporting agencies would be considered a “covered entity” under the state’s financial cybersecurity rules.

Compliance with various provisions would be phased in over time, with full compliance set for October 4, 2019.

Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work.

    No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

    Scarinci Hollenbeck, LLC, LLC

    Related Posts

    See all
    Corporate Transactions: Best Practices for Successful Deals post image

    Corporate Transactions: Best Practices for Successful Deals

    Corporate transactions can have significant implications for a corporation and its stakeholders. For deals to be successful, companies must act strategically to maximize value and minimize risk. It is also important to fully understand the legal and financial ramifications of corporate transactions, both in the near and long term. Understanding Corporate Transactions The term “corporate […]

    Author: Dan Brecher

    Link to post with title - "Corporate Transactions: Best Practices for Successful Deals"
    How to Conduct a Fair and Legal Employee Termination in 2025 post image

    How to Conduct a Fair and Legal Employee Termination in 2025

    Ongoing economic uncertainty is forcing many companies to make tough decisions, which includes lowering staff levels. The legal landscape on both the state and federal level also continues to evolve, especially with significant changes to the priorities of the Equal Employment Opportunity Commission (“EEOC”) under the Trump Administration. Terminating an employee is one of the […]

    Author: Angela A. Turiano

    Link to post with title - "How to Conduct a Fair and Legal Employee Termination in 2025"
    Admin Dissolution for Annual Report: What You Need to Know post image

    Admin Dissolution for Annual Report: What You Need to Know

    While filing annual reports may seem like a nuisance, failing to do so can have significant ramifications. These include fines, reputational harm, and interruption of your business operations. In basic terms, “admin dissolution for annual report” means that a company is dissolved by the government. This happens because it failed to submit its annual report […]

    Author: Dan Brecher

    Link to post with title - "Admin Dissolution for Annual Report: What You Need to Know"
    What Is Antitrust Litigation Law? post image

    What Is Antitrust Litigation Law?

    Antitrust laws are designed to ensure that businesses compete fairly. There are three federal antitrust laws that businesses must navigate. These include the Sherman Act, the Federal Trade Commission Act, and the Clayton Act. States also have their own antitrust regimes. These may vary from federal regulations. Understanding antitrust litigation helps businesses navigate these complex […]

    Author: Robert E. Levy

    Link to post with title - "What Is Antitrust Litigation Law?"
    Dissolving Your Business: Essential Legal Steps to Protect Your Interests post image

    Dissolving Your Business: Essential Legal Steps to Protect Your Interests

    If you’re considering closing your business, it’s crucial to understand that simply shutting your doors does not end your legal obligations. Unless you formally dissolve your business, it continues to exist in the eyes of the law—leaving you exposed to ongoing liabilities such as taxes, compliance violations, and potential lawsuits. Dissolving a business can seem […]

    Author: Christopher D. Warren

    Link to post with title - "Dissolving Your Business: Essential Legal Steps to Protect Your Interests"
    The Role of Corporate Restructuring in Mergers & Acquisitions post image

    The Role of Corporate Restructuring in Mergers & Acquisitions

    Contrary to what many people think, corporate restructuring isn’t all doom and gloom. Revamping a company’s organizational structure, corporate hierarchy, or operations procedures can help keep your business competitive. This is particularly true during challenging times. Corporate restructuring plays a critical role in modern business strategy. It helps companies adapt quickly to market changes. Following […]

    Author: Dan Brecher

    Link to post with title - "The Role of Corporate Restructuring in Mergers & Acquisitions"

    No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

    Sign up to get the latest from our attorneys!

    Explore What Matters Most to You.

    Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

    Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

    Let`s get in touch!

    * The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

    Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!