The New York Department of State’s Division of Consumer Protection recently implemented an “Identity Theft Prevention and Mitigation Program” and adopted emergency regulations, effective immediately. According to the Division, the program is intended to “(1) inform consumers about how to protect their personal identifying information; (2) help consumers prevent identity theft, including taking steps to protect their identities once their personal identifying information has been compromised, and (3) help consumers mitigate issues related to the theft of their identities.”

The regulations, a copy of which is available here, establish requirements and procedures to provide consumers with “the means to protect themselves against identity theft and to assure appropriate assistance and complaint resolution mechanisms are in place for the protection and repair of their financial and credit history in the event their personal identifying information has been compromised.”

The regulations apply to any consumer credit reporting agency “that regularly engages in the practice of assembling or evaluating and maintaining, for the purpose of furnishing consumer credit reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, public record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.”

Under the regulations, consumer credit reporting agencies are required to comply with any written requests for “documentation and/or records” from the Division of Consumer Protection within ten days. Section 226.5 envisions that the Division, while acting on behalf of a consumer to “investigate, mediate and/or mitigate an identity theft complaint” may require “substantiating and/or supporting documentation and/or records” from a consumer credit reporting agency.

In addition, under Section 226.6, each consumer credit reporting agency operating within New York state is “required to file with the Department such information as the Division finds necessary to effectively administer the Program.” Such information includes the following:

(a) the name of the consumer credit reporting agency;

(b) the principles and officers of the consumer credit reporting agency;

(c) the direct contact information for an individual or individuals within the consumer credit reporting agency available to the Division during regular business hours;

(d) the direct contact information for an individual or individuals within the consumer credit reporting agency available to the Division within 24 hours of a notification of a security breach pursuant to GBL §399-aa(8)(a);

(e) contact information available to consumers, including the consumer credit reporting agency’s web address, telephone number, and email address;

(f) a listing of all proprietary products offered by the consumer credit reporting agency to consumers for the prevention or mitigation of identity theft, any and all fees associated with the purchase of or subscription to such products, and the contractual provisions and disclosures in relation to such purchase or subscription, including but not limited to scope of services, liability for negligent or erroneous provision of services, and cancellation requests;

(g) a listing and description of all business affiliations and contractual relationships with any other entities, where such business affiliations or contractual relationships relate to the provision of any products or services advertised to consumers as products or services available for the prevention or mitigation of identity theft; and

(h) the consumer credit reporting agency’s D-U-N-S number.

Violations of the regulations can be referred to the Office of the New York Attorney General, the Department of Financial Services, or any other appropriate law enforcement or regulatory entity for action.

Troutman Sanders will continue to monitor related developments concerning the emergency regulations and their applicability to the credit reporting industry.