New York announced today that it is requiring credit reporting agencies with significant operations in the state to register with its Department of Financial Services and comply with its cybersecurity standards, the first ever in the states.
The new regulation mandates annual reporting and provides the NYDFS superintendent with the authority to deny, suspend or revoke a consumer credit reporting agency’s authorization to do business in the state.
"As the federal government weakens consumer protections, New York is strengthening them with these new standards," Governor Andrew Cuomo said in a statement.
"Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyberattacks, providing them with peace of mind about their financial future," Cuomo said.
The cybersecurity regulations go into effect on November 1, 2018. New York is the first state to implement a cybersecurity standard on businesses. According to the state, banks, insurance companies, financial services institutions and now credit reporting entities must all have a cybersecurity program designed to protect consumers’ private data in place.
Following the Equifax data breach, which exposed the personal information of nearly 148 million U.S. consumers to hackers, talks of increasing consumer protection ensued. Today’s announcement is the culmination of almost a year of New York lawmakers edging toward increasing oversight on the security practices of consumer credit entities.
"The data breach at Equifax demonstrated the absolute necessity of strong state regulation, such as New York's first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers and sensitive information from cyberattacks,” NYDFS Superintendent Maria Vullo said in a statement.
“DFS' oversight of credit reporting agencies will help to ensure that the personal data of New York consumers is less vulnerable to cyberattacks in this digital world, in order to prevent further breaches of consumer financial information," she added.
If Vullo's office finds consumer credit entities to be in violation of any insurance, financial service or banking laws, failing to comply with cybersecurity regulations, engaging in fraudulent practices or fudging details in their registrations, the NYFDS can take action against them.
According to the NYFDS, the regulation also subjects consumer reporting agencies to examinations by DFS as often as the superintendent deems necessary, and prohibits agencies from the following, unless preempted by federal law:
- Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer;
- Engaging in any unfair, deceptive or predatory act or practice toward any consumer;
- Misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report for a New York consumer;
- Engaging in any unfair, deceptive, or abusive act or practice in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act;
- Failing to comply with the provisions of federal law relating to the accuracy of the information in any consumer report relating to a New York consumer;
- Refusing to communicate with an authorized representative of a New York consumer who provides a written authorization signed by the consumer, with certain provisions;
- Making any false statement or making any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the Superintendent or another governmental agency.