As fallout from the Equifax breach that exposed personal data on 143 million Americans continues to spread, New York Governor Andrew Cuomo told the state's Department of Financial Services to create new regulation compelling credit reporting companies for the first time to register with New York and to comply with the cybersecurity standards that recently went into effect in the state, a move that would let the DFS superintendent deny or revoke a firm's authorization to do business with consumers or financial institutions regulated in New York.
"A person's credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security," Cuomo said in a release. "Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation."
Financial Services Superintendent Maria T. Vullo had already issued guidance to help licensed financial institutions act to protect consumers affected by the Equifax breach. “The scope and scale of this cyberattack is unprecedented and DFS is prepared to take all actions necessary to protect New York's consumers and financial markets,” Vullo said in a release. “Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York's regulated institutions.”
The new regulation ordered by Cuomo would subject credit reporting agencies to DFS review and prohibits them from promoting schemes to defraud consumers, engaging in unfair or deceptive practices, violating section 1036 of Dodd-Frank, including inaccurate information in reports, and making false statements or “omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.”
Calling Cuomo's move "one of the first regulatory shoes to drop in an effort to protect consumers from unfair practices and careless handling of their personal data," Steven Grossman, vice president of strategy at Bay Dynamics, lauded New York for moving "quickly to extend its recent cyber regulation from those covered entities operating in NYS to credit reporting agencies that report on any individuals located" in the state.
"In addition to mandating a structured risk based program," Grossman told SC Media, "of particular note are provisions requiring notification of breaches within 72 hour of determination and the annual certification of compliance by an accountable board member or senior officer."