New York State Governor Andrew Cuomo and the New York State Department of Financial Services (“DFS”) have been busy on the cybersecurity front. In a press release on September 18, 2017, building upon the state’s pride in its “first-in-the-nation” cybersecurity regulations that were passed earlier this year, (which we previously discussed on our blog and in our articles Getting Prepared for the New York Department of Financial Services’ Proposed Cybersecurity Regulations, and New York Releases Revised Proposed Cybersecurity Regulations) the Governor directed that new regulations be put in place to require consumer credit reporting agencies to register with DFS (thus making them an entity subject to the DFS cybersecurity regulations). The Governor’s press release stated “[o]versight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world.”
The proposed regulations are entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies” and would be codified in a new Part 201 to Title 23 of the New York Code of Rules and Regulations (the “NYCRR” as it is commonly known). As noted in the introduction to proposed Part 201, the regulations would address not only safeguarding data, but also failures to maintain accurate data and to investigate a complaint made by a consumer about allegedly incorrect information in a credit report.
Under the proposed regulations, consumer credit reporting agencies (those entities that regularly provide information pertaining to a consumer’s credit, or public record information and credit account information – defined as “consumer credit reports”) must register with DFS no later than February 1, 2018 (and earlier if they will provide consumer credit reports prior to February 1, 2018), and then renew on an annual basis by each February 1st. Unregistered entities are not authorized to assemble or maintain a consumer credit report – and other entities that are regulated by DFS (such as banks or insurance companies) cannot provide information to unregistered entities nor pay them any fees.
The proposed regulations have fairly broad information reporting requirements, requiring the consumer credit reporting agency to provide a sworn report with “the information requested by the Superintendent” and to allow DFS to make “any inquiry in relation to the assembly, evaluation, or maintenance of any consumer credit report on any consumers located in New York.” If a consumer credit reporting agency violates any insurance, financial services or banking laws, DFS regulations (or those of other states), provides materially incorrect information or commits similar nefarious acts, the agency’s registration may be revoked or suspended. Finally, the proposed regulations deem consumer credit reporting agencies “Covered Entities” and expressly subject to the DFS cybersecurity regulations.
The principal consumer credit bureaus are not based in New York – so it will be interesting to see if they oppose the proposed regulations.
In its press release on the same day, DFS announced guidance to its regulated institutions with respect to cybersecurity measures. DFS recommended that entities implement several steps, including installing all IT and information security patches and following up on ID theft and fraud prevention measures. The Department also provided a reminder about the provisions in the DFS cybersecurity regulations which apply to third-party service providers.