Governor Andrew M. Cuomo today announced that the Department of Financial Services has issued a final regulation to protect New Yorkers from the threat of data breaches at credit reporting agencies, such as the Equifax breach that exposed the personal private data of millions of New Yorkers. The new regulation, which incorporates comments received during a public comment period, requires credit reporting agencies with significant operations in New York to register with DFS for the first time and to comply with New York's first-in-the-nation cybersecurity standard. The annual reporting obligation also provides the DFS Superintendent with the authority to deny, suspend and potentially revoke a consumer credit reporting agency's authorization to do business with New York's regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
"As the federal government weakens consumer protections, New York is strengthening them with these new standards," Governor Cuomo said. "Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber-attacks, providing them with peace of mind about their financial future."
Under the new regulation, all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before September 1, 2018, and by February 1 of each successive year for the calendar year thereafter. The registration form must include an agency's officers and directors who will be responsible for compliance with the financial services, banking, and insurance laws, and regulations.
Financial Services Superintendent Maria T. Vullo said, "The data breach at Equifax demonstrated the absolute necessity of strong state regulation, such as New York's first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers and sensitive information from cyberattacks. DFS's oversight of credit reporting agencies will help to ensure that the personal data of New York consumers is less vulnerable to cyberattacks in this digital world, in order to prevent further breaches of consumer financial information."
Assemblyman Matthew J. Titone, Chair of the Committee on Consumer Affairs and Protection said, "Given the interconnectedness of the financial services industry and the potential harm that consumers and our financial institutions may face from cyberattacks and other data breaches, this regulation will help provide much needed oversight and protection to consumers across New York."
The DFS Superintendent may refuse to renew a consumer credit reporting agency's registration if the Superintendent finds that the applicant or any member, principal, officer or director of the applicant, has, among other things:
- Violated any insurance, financial service, or banking laws or violated any regulation, subpoena or order of the Superintendent or of another state's insurance or banking commissioner or of any other state or federal agency with authority to regulate consumer credit reporting agencies, or has violated any law in the course of his or her dealings in such capacity;
- Failed to comply with the requirements of the regulation, including but not limited to, section 201.07 concerning cybersecurity;
- Used fraudulent, coercive or dishonest practices; or
- Provided materially incorrect, materially misleading, materially incomplete or materially untrue information in the registration application.
The regulation also subjects consumer reporting agencies to examinations by DFS as often as the Superintendent determines is necessary, and prohibits agencies from the following, unless preempted by federal law:
- Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer;
- Engaging in any unfair, deceptive or predatory act or practice toward any consumer;
- Misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report for a New York consumer;
- Engaging in any unfair, deceptive, or abusive act or practice in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act;
- Failing to comply with the provisions of federal law relating to the accuracy of the information in any consumer report relating to a New York consumer;
- Refusing to communicate with an authorized representative of a New York consumer who provides a written authorization signed by the consumer, with certain provisions;
- Making any false statement or making any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the Superintendent or another governmental agency.
In addition, every credit reporting agency must comply with the Department's cybersecurity regulation, beginning on November 1, 2018 pursuant to the time table included in the final regulation. DFS's cybersecurity regulation requires banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers' private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry. DFS's cybersecurity regulation also requires the protection of data from third-party vendors and the filing with DFS of an annual certification of compliance.
A copy of the final regulation can be found here.