State Regulatory Developments

New York Proposes Expanding Cybersecurity Regulations to Cover Consumer Credit Reporting Agencies

The New York State Department of Financial Services (DFS) recently proposed regulations that would require all consumer credit reporting agencies reporting on consumers in the state to register with the Superintendent of Financial Services, comply with certain prohibited practices, and comply with New York’s cybersecurity rules that took effect earlier this year.  The proposal would extend the reach of the cybersecurity regulations beyond banks, insurance companies, and other institutions regulated by DFS to cover consumer credit reporting agencies with the same requirements, as well as with proposed registration and prohibited practices provisions that are specific to consumer credit reporting agencies.

The proposed regulations address what DFS asserts are deficient practices of consumer credit reporting agencies, including their alleged failure to safeguard consumer data.  The proposal would require consumer credit reporting agencies to register with DFS by February 1, 2018 and annually thereafter.  On the registration form, the agencies would need to designate officers or directors who would be responsible for ensuring compliance with the regulations.  In addition, the section titled “Prohibited Practices” forbids “any unfair, deceptive, or abusive act or practice” toward any consumer in violation of § 1036 of the Dodd-Frank Act.

Two key requirements from the existing cybersecurity rules that would now be applicable to consumer credit reporting agencies under the proposal are: (1) that regulated companies must appoint a Chief Information Security Officer; and (2) that they must conduct periodic risk assessments and create detailed cybersecurity plans to address data breaches.  Failure to comply could lead to the revocation or suspension of the agency’s registration and authorization to do business in the state.  Consumer credit reporting agencies would need to begin complying with the proposed regulation on April 4, 2018, and certain provisions would have varying effective dates between that date and October 4, 2019.

The proposed regulation is available here.