New York Issues Regulation to Protect New Yorkers from Data Breaches at Credit Reporting Agencies

Written By ESR News Blog Editor Thomas Ahearn

On June 25, 2018, New York Governor Andrew M. Cuomo announced that the state’s Department of Financial Services (DFS) issued a final regulation to protect New Yorkers from the threat of data breaches at credit reporting agencies such as the massive Equifax data breach that exposed the personal information of millions of New Yorkers, according to news release on the Governor’s website.

“As the federal government weakens consumer protections, New York is strengthening them with these new standards,” Governor Cuomo stated in the news release.  “Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber-attacks, providing them with peace of mind about their financial future.”

Under the regulation, all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before September 1, 2018, and by February 1 of each successive year for the calendar year thereafter. The registration form must include an agency’s officers and directors responsible for compliance with the regulation.

The regulation also provides the DFS Superintendent authority to deny, suspend, and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance. The DFS Superintendent may also refuse to renew a registration if the applicant or any member of the applicant’s company has:

  • Violated any insurance, financial service, or banking laws or violated any regulation, subpoena or order of the Superintendent or of another state’s insurance or banking commissioner or of any other state or federal agency with authority to regulate consumer credit reporting agencies, or has violated any law in the course of his or her dealings in such capacity;
  • Failed to comply with the requirements of the regulation, including but not limited to, section 201.07 concerning cybersecurity;
  • Used fraudulent, coercive or dishonest practices; or
  • Provided materially incorrect, materially misleading, materially incomplete or materially untrue information in the registration application.

The  regulation – which incorporated comments received during a public comment period to create New York’s first-in-the-nation cybersecurity standard that every credit reporting agency must comply with starting November 1, 2018 – also subjects consumer reporting agencies to examinations by DFS as often as determined is necessary, and prohibits agencies from the following unless preempted by federal law:

  • Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer;
  • Engaging in any unfair, deceptive or predatory act or practice toward any consumer;
  • Misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report for a New York consumer;
  • Engaging in any unfair, deceptive, or abusive act or practice in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act;
  • Failing to comply with the provisions of federal law relating to the accuracy of the information in any consumer report relating to a New York consumer;
  • Refusing to communicate with an authorized representative of a New York consumer who provides a written authorization signed by the consumer, with certain provisions; or
  • Making any false statement or making any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the Superintendent or another governmental agency.

The regulation requires banks, insurance companies, and financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers data, a written policy approved by the board or a senior officer, a Chief Information Security Officer (CISO) to help protect data and systems, and controls in place to help ensure the safety and soundness of New York’s financial services industry.

The regulation also requires protection of data from third-party vendors and filing an annual certification of compliance with DFS. “DFS’s oversight of credit reporting agencies will help to ensure that the personal data of New York consumers is less vulnerable to cyberattacks in this digital world, in order to prevent further breaches of consumer financial information,” DFS Superintendent Maria T. Vullo stated.

As ESR News reported earlier, the data breach incident at Equifax that was first disclosed on September 7, 2017, eventually impacted more than 145 million Americans, or almost half of the country. Equifax – one of three national credit reporting agencies with Experian and TransUnion – revealed the breach allowed access to sensitive information such as names, social security numbers, birth dates, and addresses.

The need for background screening firms to ensure information security in the wake of the Equifax data breach and other data breaches is one of the “ESR Top Ten Background Check Trends” for 2018 selected by global background check firm Employment Screening Resources (ESR). A complete list of top trends is available at www.esrcheck.com/Tools-Resources/ESR-Top-Ten-Background-Check-Trends/.

ESR Protects Against Data Breaches

Employment Screening Resources (ESR) – a leading global background check firm – undergoes annual SOC (Service Organization Control) 2 Audits to protect the privacy, security, and confidentiality consumer information used for background checks from unwanted intrustion including security and data breaches. To learn more, visit www.esrcheck.com/Why-ESR/SOC-2/.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.