On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:

  • provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
  • identify dedicated points of contact to assist the Division’s effective administering of the program;
  • make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
  • clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.

Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.

As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.