In the wake of its massive data breach that exposed the personal information of 143 million U.S. consumers to hackers, Equifax is already facing inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, the office of New York Attorney General Eric Schneiderman, and a lawsuit from the state of Massachusetts.
While all those inquiries cover the breach itself and the events shortly thereafter, Equifax’s mistakes could lead to a significant new regulatory overhang for all of the credit reporting agencies.
On Monday, New York Governor Andrew Cuomo directed the New York Department of Financial Services to issue new regulation that would bring credit reporting agencies under the agency’s supervisory umbrella for the first time,.
Under Cuomo’s directive, Equifax and other credit reporting agencies would have to register with the NYDFS, and be subjected to NYDFS oversight.
Additionally, the credit reporting agencies would be required to comply with the state’s cybersecurity standards, which went into effect last month.
By making the credit reporting agencies register with the NYDFS every year, the agency would have the authority to prohibit a credit reporting agency from doing business with New York’s financial institutions.
Specifically, the directive stipulates that the NYDFS would have the authority to “deny and potentially revoke a consumer credit reporting agency's authorization to do business with New York's regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.”
Additionally, the NYDFS may choose to deny a credit reporting agency's yearly registration if the agency finds that the company or any member, principal, officer or director of the company, is “not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that the agency has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.”
The proposed regulation also subjects the credit reporting agencies to examinations by the NYDFS “as often as the Superintendent determines is necessary.”
The regulation also prohibits credit reporting agencies from certain conduct, including:
- Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer
- Engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State
- Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
- Including inaccurate information in any consumer report relating to a consumer located in New York State
- Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer
- Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency
“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Cuomo said in a statement. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Separately, the NYDFS also warned other New York-regulated agencies to take “immediate” steps to secure consumers’ sensitive personal information.
“The scope and scale of this cyberattack is unprecedented and DFS is prepared to take all actions necessary to protect New York’s consumers and financial markets,” NYDFS Superintendent Maria Vullo said.
“Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York’s regulated institutions,” Vullo added.
Specifically, the NYDFS is asking companies to take the following steps:
- Ensure that all information technology and information security patches have been installed
- Ensure that appropriate ID theft and fraud prevention programs are in place and followed for customer due diligence/Know Your Customer (“KYC”) purposes and before an account is opened, or a credit card is issued, or any loan or other form of financing is approved, whether for new applicants or existing clients, and, if appropriate, consider using an identity verification/fraud service for identity verification
- Confirm the validity of information contained in Equifax credit reports (if they receive them) before relying on them for provision of products and services to new applicants, as well as existing clients, as they may have been compromised given the cyberattack
- If appropriate, consider a customer call center for customers to call in and inform the institution if their information has been hacked, in which case, consider coding the customer account with a “red flag” to contact the customer at a pre-designated contact number or e-mail address prior to opening an account, issuing a credit card, providing a loan or any other form of financing or other services and products, or making any changes to existing accounts
- If the institution provides consumer or commercial related account and debt information to Equifax under any arrangement with Equifax, ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data in light of this cyberattack, taking into consideration the Department’s requirements under its cybersecurity regulation with respect to third party service providers