New York Proposes Regulations for Credit Reporting Agencies in Response to Equifax Data Breach

Written By ESR News Blog Editor Thomas Ahearn

In response to the massive Equifax data breach that exposed the personal data of approximately 143 million U.S. consumers – almost half the country – Governor Andrew Cuomo has directed the New York Department of Financial Services (NYDFS) to issue a proposed regulation that would require credit reporting agencies to register to comply with the state’s cybersecurity standard, according to a NYDFS press release.

“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo stated in the NYDFS press release. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world.”

The proposed regulation provides the NYDFS Superintendent with the authority to deny and potentially revoke authorization of consumer credit reporting agencies to do business with New York’s regulated financial institutions. The proposed regulation also subjects them to examinations by the NYDFS as often as the Superintendent determines is necessary, and prohibits agencies from the following:

  • Directly or indirectly employing any scheme, device, or artifice to defraud or mislead a consumer.
  • Engaging in any unfair, deceptive, or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State.
  • Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
  • Including inaccurate information in any consumer report relating to a consumer located in New York State.
  • Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
  • Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.

Under the proposed regulation, all consumer credit reporting agencies that operate in New York must register annually with NYDFS beginning on or before February 1, 2018 and by February 1 of each successive year thereafter. The registration form must include an agency’s officers or directors who will be responsible for compliance with the financial services, banking, and insurance laws, and regulations.

Starting April 4, 2018, every credit reporting agency must comply with a NYDFS cybersecurity regulation that requires banks, insurance companies, and financial services institutions regulated by NYDFS to have a cybersecurity program designed to protect private data of consumers, a written policy approved by the board or a senior officer, a Chief Information Security Officer (CISO) to protect data and systems, and controls and plans in place to help ensure the safety of New York’s financial services industry.

Employers concerned about credit reports used for background checks being affected by the Equifax data breach can breathe easier knowing their employees won’t be affected. “I don’t think there’s a risk to consumers in terms of credit reports that are ordered by employers,” said Brad Landin, president and chief compliance officer of global background check firm Employment Screening Resources® (ESR).

Interviewed for the Bloomberg BNA article ‘Should Equifax Data Breach Worry Employers?,’ Landin said it was “unlikely employer credit checks for hiring purposes will be affected by the hack” since most credit reports used by employers are from resellers of credit information and not directly from Equifax. “I’m highly confident that the availability of Equifax credit reports is largely unaffected,” said Landin.

SOC 2 Audits Help Protect Credit Information of Consumers

Employment Screening Resources® (ESR) – a strategic choice for businesses needing accuracy and compliance in their background check programs – has completed a SOC 2® Type 2 data security audit for 2017 to ensure ESR protects the privacy, security, and confidentiality of consumer information such as credit reports against events like the Equifax data breach. To learn more, visit www.esrcheck.com.

Visit ESR on social media at FacebookTwitter, and LinkedIn.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2017 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.