Photo Courtesy of Google
Last year’s Equifax breach exposed the personal private data of millions of NY residents.
By Forum Staff
The State Department of Financial Services has issued a final regulation to protect New Yorkers from the threat of data breaches at credit reporting agencies, such as last year’s Equifax breach that exposed the personal private data of millions of NY residents, Gov. Andrew Cuomo announced on Monday.
According to the State, the new regulation requires credit reporting agencies with significant operations in New York to register with DFS for the first time and to comply with New York’s cybersecurity standard. The annual reporting obligation also provides the DFS superintendent with the authority to deny, suspend and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
Under the new regulation, all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before Sept. 1, 2018, and by Feb. 1 of each successive year for the calendar year thereafter. The registration form must include an agency’s officers and directors who will be responsible for compliance with the financial services, banking, and insurance laws, and regulations.
The DFS superintendant may refuse to renew a consumer credit reporting agency’s registration if the superintendent finds that the applicant or any member, principal, officer or director of the applicant, has, among other things:
• Violated any insurance, financial service, or banking laws or violated any regulation, subpoena or order of the Superintendent or of another state’s insurance or banking commissioner or of any other state or federal agency with authority to regulate consumer credit reporting agencies, or has violated any law in the course of his or her dealings in such capacity;
• Failed to comply with the requirements of the regulation, including but not limited to, section 201.07 concerning cybersecurity;
• Used fraudulent, coercive or dishonest practices; or
• Provided materially incorrect, materially misleading, materially incomplete or materially untrue information in the registration application.
Additionally, every credit reporting agency must comply with the State’s cybersecurity regulation, beginning on Nov. 1, 2018 pursuant to the timetable included in the final regulation. DFS’s cybersecurity regulation requires banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. DFS’s cybersecurity regulation also requires the protection of data from third-party vendors and the filing with DFS of an annual certification of compliance.
“As the federal government weakens consumer protections, New York is strengthening them with these new standards,” Cuomo said. “Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber-attacks, providing them with peace of mind about their financial future.”