In Wake of Equifax Data Breach, Credit Reporting Agencies Made Subject to NY State Cybersecurity Regulations
The new rules are the state's response to last year's data breach at Equifax, a credit reporting agency, that exposed the personal information of 143 million people.
June 25, 2018 at 04:59 PM
5 minute read
Credit reporting agencies will now be required to register with the state and comply with its cybersecurity regulations, the state Department of Financial Services announced Monday. The new rules are the state's response to last year's data breach at Equifax, a credit reporting agency, that exposed the personal information of 143 million people. If a credit reporting agency is found to have violated the new regulations, the DFS will now have the power to block them from serving New York state residents. Under the new rules, any credit reporting agency that ran more than 1,000 credit reports in New York state in the last year will have to register with the DFS by the beginning of September and then again at the beginning of February each year. Each credit agency will also be required to follow the state's new cybersecurity regulations, which until now only applied to banks, insurance companies and other financial institutions. Gov. Andrew Cuomo recommended that change after the breach in September. "The data breach at Equifax demonstrated the absolute necessity of strong state regulation, such as New York's first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers and sensitive information from cyberattacks,” said Maria Vullo, superintendent of the DFS, in a statement. “DFS's oversight of credit reporting agencies will help to ensure that the personal data of New York consumers is less vulnerable to cyberattacks in this digital world, in order to prevent further breaches of consumer financial information,” Vullo said. The state's cybersecurity regulations , implemented in March 2017, were designed to prevent a massive data breach in the state's financial services industry. They require that each business have its own comprehensive cybersecurity protocol in place. That includes a program designed to protect consumer data from digital threats, a written policy about such a program that's approved by the board or a senior officer of the company, the appointment of a chief information security officer, and an incident response plan. Each company is required to assess its own risk to digital threats and establish a system to protect against those threats. If companies choose to contract their digital security through a third party, the contracted company must also develop a risk assessment plan for digital threats. Credit reporting agencies will now have to implement those changes by the beginning of November. The DFS will also be allowed to request information from those agencies at any time, but the companies will also have to submit annual reports to the department. If those agencies fail to provide information to the state, their license to serve New York state customers could be suspended or revoked. There are also practices that credit reporting agencies must avoid if they want to keep their license, the DFS said. Companies will not be allowed to engage in any schemes that might mislead or defraud a consumer and cannot hide information from consumers that was used to generate a credit report. Credit reporting agencies also risk losing their license if they ignore or report inaccurate information to a New York state consumer or state agency. A violation of any part of the federal Dodd-Frank Wall Street Reform and Consumer Protection Act could also be met with action from the DFS. The regulations were developed by the DFS with input during a public comment period held after last year's Equifax breach, the state agency said. The personal data of more than 8 million New York state residents was estimated to be involved in the breach. That included individuals' names, Social Security numbers, birth dates, addresses and driver's license numbers. Former state Attorney General Eric Schneiderman and the DFS opened their own investigations into the breach last year, with Schneiderman soon after recommending legislation to enhance data protection for state residents. State Sen. LeRoy Comrie, D-Queens, had also introduced legislation that would require credit reporting agencies to freeze consumer credit reports when a breach is detected. Neither bill passed the legislature. A spokeswoman for Equifax said the company was taking a look at the new regulations in an emailed statement Monday."Equifax is still reviewing the regulation in its entirety," the spokeswoman said. "We continue to actively engage with and be responsive to state and federal regulators, agencies, and legislators to help better protect consumers.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAttorneys 'On the Move': Structured Finance Attorney Joins Hunton Andrews Kurth; Foley Adds IP Partner
4 minute readNY Civil Liberties Legal Director Stepping Down After Lengthy Tenure
Former Top Aide to NYC Mayor Is Charged With Bribery Conspiracy
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.