Equifax Breach Spurs Effort to Extend NY Cybersecurity Regulations to Credit Reporting Agencies
In the wake of the massive data breach involving Equifax, New York Gov. Andrew Cuomo announced he wants to extend the state’s new cybersecurity regulations to cover credit reporting agencies. The state’s cybersecurity and data protection rules, which currently apply to banks, insurance companies, and other financial institutions, are among the most comprehensive in the country.
As readers are most certainly aware, Equifax recently announced that a data breach may have impacted 143 million U.S. consumers, putting their Social Security numbers, birth dates, addresses, and some driver’s license numbers at risk. Not surprisingly, the breach has triggered investigations by state and federal agencies, as well as private lawsuits by consumers. In New York, it may also prompt new regulations.
DFS Cybersecurity Regulations
New York’s Department of Financial Services’ (DFS) cybersecurity regulations took effect on March 1, 2017. Pursuant to 23 NYCRR Part 500, financial service companies must “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The programs must address five key areas: identification of cyber risks; implementation of policies and procedures to protect unauthorized access/use or other malicious acts; detection of cybersecurity events; responsiveness to identified cybersecurity events to mitigate any negative events; and recovery from cybersecurity events and restoration of normal operations and services.
The cybersecurity requirements for financial services companies also mandate that covered entities implement cybersecurity policies that are tailored to their unique risks and needs. Covered entities must also appoint a chief information security officers to implement and enforce such policies. Other requirements under the regulation include: adopting policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; requiring multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access; drafting an incident response plan to recover from any cybersecurity event; and conducting annual penetration testing and vulnerability assessments.
Proposed Regulations for Credit Reporting Agencies
A proposed regulation has already been introduced in New York that would bring credit reporting companies under the purview of the state’s new cybersecurity rules and require them to register with the state. In support of the need to increase oversight over credit reporting agencies, the regulation cites several “deficient practices” including (1) the failure of consumer credit reporting agencies to safeguard consumer data; (2) the failure of consumer credit reporting agencies to maintain accurate consumer credit data; and (3) the failure of consumer credit reporting agencies to appropriately investigate consumer disputes of alleged inaccuracies in credit reports.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyber attacks and other nefarious acts in this rapidly changing digital world” Gov. Cuomo said in a statement. “The Equifax breach was a wake-up call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulation, the term “consumer reporting agency” means “any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports or investigative consumer reports to third parties.” Below are several other key provisions proposed:
Registration: Consumer credit reporting agencies reporting on any consumers located in the State of New York would be required to register with the Superintendent of Financial Services (Superintendent). Registration would be required by February 2018. Going forward, consumer credit reporting agencies would be subject to examination. In addition, the superintendent would be authorized to refuse to renew a consumer credit reporting agency’s registration “if, in the superintendent’s judgment, the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that any of the foregoing has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.”
Prohibited Practices: The regulation would prohibit credit agencies from engaging in certain practices. They would include: directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer; engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State; and including inaccurate information in any consumer report relating to a consumer located in New York State. If found to have engaged in prohibited practice or otherwise violated the regulation, the superintendent could refuse to renew, revoke, or may suspend the credit reporting agency’s registration.
Cybersecurity Compliance: Consumer credit reporting agencies would be considered a “covered entity” under the state’s financial cybersecurity rules.
Compliance with various provisions would be phased in over time, with full compliance set for October 4, 2019.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work.
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies
The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]
How Understanding Bankruptcy Trends Can Benefit Your Business
The bankruptcy legal landscape presents both challenges and opportunities for businesses navigating financial distress. Understanding current bankruptcy trends can help businesses make more informed and strategic decisions. Corporate Bankruptcy Filings Trending Upwards Bankruptcy filings continued to trend upwards in 2024. According to statistics released by the Administrative Office of the U.S. Courts, personal and business […]
SEC Takes Actions Against Issuers for Failure to File Form D
In December, the U.S. Securities and Exchange Commission (SEC) announced charges against two privately held companies for failing to file a Form D notice, which is generally utilized for exempt securities offerings. Here, the SEC’s enforcement sends a strong message: compliance with regulatory requirements is not optional and failure to comply can have significant consequences. […]
Redefining Labor Relations: NLRB's Pivot from Abruzzo’s Memoranda
On February 14, 2025, the Office of General Counsel (OGC) of the National Labor Relations Board (NLRB) under Acting General Counsel William B. Cowen issued Memorandum 25-05, “New Process for More Efficient, Effective, Accessible and Transparent Case handling.” The Memorandum rescinds nearly all of the Memoranda issued by his direct predecessor, Jennifer Abruzzo, setting the […]
If you purchase real property from a foreign person or entity, you may be required to withhold taxes from your payment to the seller under the Foreign Investment in Real Property Tax Act (FIRPTA). The federal tax law is designed to ensure that foreign sellers pay any applicable capital gains tax on profits realized from […]
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
