The massive Equifax breach continues to prompt responses from a wide-range of regulators. While this is not surprising in light of the scale and nature of the incident, a number of regulators are taking more aggressive and more public actions in just a short time following public announcement of the breach. While there is a long history of various regulators taking action following high-profile breaches, the speed of the regulatory response has been unique when compared with other high-profile breaches that have occurred in the past five years. For example, while multistate Attorney General (“AG”) investigations and settlements are becoming the norm, the Massachusetts AG has already filed suit against Equifax.
Noteworthy is the speed at which the New York Department of Financial Services (“NYDFS”) has responded both with guidance and proposed rules, only a short time after issuing controversial cybersecurity rules. Specifically, on September 18, NYDFS issued guidance for NYDFS-regulated financial institutions “to highlight the seriousness of [the Equifax breach] and to ensure that this incident receives the highest level of attention and vigilance.” In this regard, the guidance reiterates the importance of controls required by the NYDFS cyber rules (e.g., multifactor authentication) in light of the sensitive information apparently compromised in the Equifax breach. Also on September 18, NYDFS issued proposed rules to regulate consumer reporting agencies (“CRAs”) doing business in New York, including requiring compliance with the NYDFS cyber rules and imposing certain unrelated credit reporting obligations, similar to those required by the Fair Credit Reporting Act (“FCRA”).
These actions by NYDFS reaffirm the apparent desire of NYDFS to play a prominent role in driving cybersecurity policy in this country.
NYDFS Guidance on Equifax Breach
NYDFS has issued guidance regarding the Equifax breach, both for insurers and other financial institutions. In specific response to public reports of the nature of the Equifax breach, NYDFS prominently advises covered financial institutions to ensure that “technology and information security patches have been installed.” In addition, because of the sensitive nature of the information apparently compromised in the Equifax breach, NYDFS cautions covered financial institutions against relying on personally identifiable information as a means of verifying a person’s identity and indicates that these types of breach incidents “increasingly necessitate consideration of” multifactor authentication.
The guidance also reiterates the third-party management requirements of the NYDFS cybersecurity rules. Specifically, for covered financial institutions who furnish information to Equifax, the guidance indicates that the financial institutions should “ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data in light of this cyberattack, taking into consideration the Department’s cybersecurity regulation (23 NYCRR Part 500) with respect to third party service providers.”
Because of the risk of identity theft and fraud resulting from the Equifax breach, the guidance also includes account-opening recommendations, including recommendations that covered financial institutions:
- Ensure that appropriate identity theft and fraud prevention programs are in place and followed before new accounts are opened;
- Confirm the validity of information contained in any Equifax credit reports before relying on those reports; and
- Create a customer call center, if appropriate, for customers to inform the financial institution “that their information has been hacked” and consider “red flagging” the accounts of customers who report that they were impacted so that additional steps can be taken before opening new accounts or changing existing accounts for those customers.
Expansion of Cybersecurity (and Other) Regulation to CRAs
In addition to highlighting the importance of the cybersecurity regulations to covered financial institutions, NYDFS has also proposed rules that would require CRAs that handle consumer report information relating to New York residents (“Covered CRAs”) to comply with a host of requirements, including the NYDFS cyber rules, and that would otherwise regulate the credit reporting business in New York. It should be noted that the proposed rule defines a “consumer reporting agency” in a manner substantially the same as the FCRA.
Under the proposed rules, a Covered CRA would be required to register with NYDFS beginning on February 1, 2018, and on an annual basis thereafter and would be subject to examination by NYDFS.
While the proposed rules would impose significant prohibitions on Covered CRAs with respect to their core credit reporting business, as noted below, and would also grant NYDFS broad authority to suspend or revoke the registration of a Covered CRA, the proposed rules are noteworthy because it would make Covered CRAs subject to the NYDFS cyber rules. The proposed rules also would take the significant step of providing that a Covered CRA’s failure to comply with the NYDFS cyber rules (or engaging in certain other prohibited conduct, e.g., engaging in “dishonest practices”) would be grounds for NYDFS to refuse to renew, revoke, or suspend the registration of a Covered CRA, subject to notice and a hearing.
The proposed rules include a number of prohibitions similar to those to that consumer reporting agencies are currently subject under federal law, including the FCRA and prohibitions on unfair and deceptive practices under Section 5 of the FTC Act and under the Consumer Financial Protection Act. For example, Covered CRAs would be prohibited from “employing any scheme, device or artifice to defraud or mislead a consumer” or “[e]ngaging in any unfair, deceptive or predatory act or practice toward any consumer.” Covered CRAs also would be prohibited from misrepresenting or omitting “any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State” or including “inaccurate information in any consumer report relating to a consumer located in New York State.”
* * * *
These actions by NYDFS are an acute reminder that the “fallout” relating to a high-profile breach experienced by a company can lead to new requirements and expectations for a company’s competitors and other companies in a similar sector. And in light of the fact that high-profile breaches are becoming common, one can only assume that NYDFS will continue to play an active role in driving cybersecurity policy and expectations within the country.