Two of the highest ranking officials in New York are using the Equifax security breach to intensify actions within the Empire State, bringing Experian and TransUnion into the matter, too.
On Tuesday, Gov. Andrew Cuomo directed the New York Department of Financial Services to issue new regulation making credit reporting agencies register with New York for the first time and comply with what the state has called a first-in-the-nation cybersecurity standard.
Then on Wednesday, New York Attorney General Eric Schneiderman announced that his office has sent formal inquiries regarding data security to Experian and TransUnion following the Equifax data breach that potentially exposed the personal information of 143 million consumers.
“A person’s credit history affects virtually every part of their lives, and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Cuomo said.
“The Equifax breach has left millions of New Yorkers vulnerable to identity theft and major financial issues,” Schneiderman said. “Credit reporting agencies have a fundamental responsibility to protect the personal information they’re entrusted with.
“As we continue our investigation into the Equifax breach, it’s vital to ensure that consumer data at the other major credit reporting agencies is safe,” Schneiderman added.
Under the proposed regulation, all consumer credit reporting agencies that operate in New York must register annually with DFS beginning on or before Feb. 1 and by Feb. 1 of each successive year for the calendar year thereafter. The registration form must include an agency’s officers or directors who will be responsible for compliance with the financial services, banking, and insurance laws and regulations.
The annual reporting obligation contained within the proposal also provides the DFS Superintendent with the authority to deny and potentially revoke a consumer credit reporting agency's authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” Department of Financial Services superintendent Maria Vullo said. “This is one necessary action of several that DFS will take to protect New York's markets, consumers and sensitive information from criminals.”
The DFS Superintendent may refuse to renew a consumer credit reporting agency's registration if the superintendent finds that the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that the agency has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.
The proposed regulation also subjects consumer reporting agencies to examinations by DFS as often as the superintendent determines is necessary, and prohibits agencies from the following:
—Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer.
—Engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State.
—Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
—Including inaccurate information in any consumer report relating to a consumer located in New York State.
—Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
—Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.
In addition, every credit reporting agency must comply with the department’s cybersecurity regulation, on phased in schedule of compliance, starting April 4.
DFS’ cybersecurity regulation requires banks, insurance companies and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers' private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world,” Cuomo said. “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
And Schneiderman wants to know what Experian and TransUnion are doing, as well.
In letters sent to the CEOs of the two companies, the attorney general’s office asks them to detail:
—The security measures that were in place before they learned of the Equifax breach
—Steps the companies have taken since learning of the breach to ensure that they haven’t already suffered similar intrusions and won’t experience breaches moving forward
—How they will further assist consumers in protecting their personal information
Schneiderman is seeking the answers to these questions by Sept. 21 and a meeting with top executives at Experian and TransUnion by Sept. 28.