Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.” According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

The DFS wasted no time following the Governor’s instructions. This morning, the Department announced a proposed regulation that places credit reporting agencies squarely within the purview of the DFS, prohibits them from committing “any unfair” act, and requires them to comply with the DFS cybersecurity regulation.

The proposed regulation—which is subject to the statutory 45-day-reporting and public-comment period—includes a litany of detailed and unprecedented requirements for “consumer credit reporting agencies”:

  • Any agency that “assembles, evaluates, or maintains a consumer credit report on any consumers located in New York State” must “register with” the DFS. The Superintendent may, in turn, “refuse to renew a consumer credit report agency’s registration” if the “applicant, or any member, principal, officer, or director” is not “trustworthy,” “competent,” or “has filed to comply with any minimum standard.”

  • After notice and a hearing, the DFS may revoke or suspend the registration of a consumer reporting agency that: violated applicable laws or orders; provided materially incorrect, misleading, incomplete or untrue information to the DFS; failed to comply with the new regulation; improperly withheld or misappropriated any monies; committed any “unfair trade practice or fraud”; was convicted of a felony; had its registration denied or revoked in any other state or territory; or failed to pay state income tax.

  • Credit reporting agencies are prohibited from: misleading consumers; engaging in any unfair, deceptive or predatory act; violating 12 U.S.C. § 5536 (which prohibits, among other things, violations of any federal consumer financial laws); including false information in any consumer report; refusing to communicate with consumers’ representatives; and giving any false information to the DFS or other governmental agencies

  • Finally, every consumer credit reporting agency must comply with the DFS cybersecurity regulation. Though, the timeline for credit agencies to comply with the regulation is different than other financial institutions.

New York appears to be the first state to respond to the Equifax breach with a new, expansive regulation. We will continue to monitor and report on the rulemaking process.