On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo's directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state's "First-in-the-Nation Cybersecurity Regulation" (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities "operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law" and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
Governor Cuomo expressed the need for consumer credit reporting agencies to improve their security controls and stated that "[o]versight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world." By regulating consumer credit reporting agencies, and by encouraging other states to enact requirements similar to New York's, Governor Cuomo seeks to establish leverage over this industry to strengthen cybersecurity practices.
Under the proposed CRA Regulation, registered consumer credit reporting agencies would be subject to examinations by the NYDFS as often as the Superintendent determines is necessary to investigate the assembly, evaluation, or maintenance of any consumer credit report on any New York consumer. The NYDFS Superintendent may refuse to renew, revoke, or may suspend a consumer credit reporting agency's registration on a finding that "any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that the agency has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard." In addition to the requirements of the Cybersecurity Regulation, consumer credit reporting agencies are expressly prohibited from the following practices, under the proposed CRA Regulation:
- Employing any scheme to defraud or mislead a consumer
- Engaging in any unfair, deceptive or predatory act or practice toward any consumer
- Misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a New York consumer's credit
- Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
- Including inaccurate information in any consumer report relating to a New York consumer
- Refusing to communicate with an authorized representative of a New York consumer who provides a written authorization signed by the consumer
- Making any false statement or omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the NYDFS Superintendent or another governmental agency
Consumer credit reporting agencies are primarily regulated under the federal Fair Credit Reporting Act, which preempts state laws regulating several aspects of credit reporting that are within its scope. However, other states have enacted registration requirements for consumer reporting agencies and other provisions of the CRA Regulation and Cybersecurity Regulation may not be affected by the federal law.
We will continue to monitor the proposed CRA Regulation and the Cybersecurity Regulation as well as actions of other states in the current increase in state activities on cybersecurity topics.