At the direction of Governor Andrew Cuomo, the New York Department of Financial Services ("DFS") proposed expanding recently enacted cybersecurity regulations to include credit reporting agencies that collect data on consumers in New York. The proposal would mandate that credit reporting agencies not only register with the DFS but also comply with New York "first-in-the nation" cybersecurity regulations (see previous coverage).

Under the proposal, credit reporting agencies would be obligated to register with the DFS. The DFS superintendent would have the ability to revoke or suspend the registration of parties found to be in violation of the regulations. Credit reporting agencies would be subject to ongoing DFS examinations and investigations to evaluate compliance. In addition, when considering applications for registration or renewal, the DFS "may refuse to renew a consumer credit reporting agency's registration if the Superintendent finds that the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that the agency has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard." 

Governor Cuomo explained that the recent Equifax data breach has catalyzed an enhanced commitment to cybersecurity:

"Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation."

Pursuant to the proposal, consumer credit reporting agencies would be required to register with the DFS by February 1, 2018, and would have a phased period to comply fully with the cybersecurity regulations by October 4, 2019.

Commentary / Joseph V. Moreno

In what may be the first regulatory reaction to the historic Equifax data breach, the NY DFS has proposed a new rule that would require the registration of credit reporting agencies and, more importantly, force them to comply with the recently-issued rules on cybersecurity for financial institutions and other "Covered Entities." This is a further recognition that hackers are no longer interested in only bank account and credit card information, but also identifying information about consumers that may be used to steal identities and to sell them on the black market. New or existing credit reporting agencies who collect information from even a single customer in New York will have no choice but to comply. As cyber attackers become more creative in the targeting and use of consumer data, it is only a matter of time before other entities and industries in New York and elsewhere who compile customer information become subject to such rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.