Governor Cuomo Mandates Compliance by Credit Reporting Agencies with Sweeping New Cybersecurity Requirements

New York Governor Andrew Cuomo has issued a final regulation that requires credit reporting agencies doing business in New York to register annually with the Department of Financial Services (DFS) and also to comply with accompanying cybersecurity regulations, including the implementation of a cybersecurity program consistent with the requirements already in place for banks, insurance companies and other financial services institutions. The purpose of the new regulation is to protect New Yorkers from data breaches, such as the Equifax breach which exposed the private data of millions of individuals.

The new regulation, entitled "Registration Requirements & Prohibited Practices For Credit Reporting Agencies, 23 NYCRR 201, et seq.," largely follows the provisions of the Fair Credit Reporting Act (FCRA). It defines a "consumer credit reporting agency" as one "that regularly engages in the practice of assembling or evaluating and maintaining, for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity, and credit account information from persons who furnish that information regularly and in the ordinary course of business." 23 NYCRR 201.01(d). Note, however, that a "credit report" does not include "(i) any report containing information solely as to transactions or experiences between the consumer and the person making the report, (ii) any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device, or (iii) any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his decision with respect to such request," if the third party provides the consumer with the information of the entity making such request.

Any entity that qualifies as a "consumer credit reporting agency" and which has assembled, evaluated or maintained a consumer credit report for 1,000 or more New York consumers must register with DFS no later than September 1, 2018, and is also required to register annually by February 1 of each successive year. Beginning July 1, 2019, every consumer reporting agency must file a certificate of compliance with DFS.

Failure to register will prohibit a consumer reporting agency from furnishing a consumer credit report on a New York consumer, receiving payment or compensation, or transmitting such credit information to any third party. Any registered credit reporting agency will also be subject to New York laws prohibiting "unfair, deceptive or predatory practice" under federal or state law. A credit reporting agency found to violate any such consumer protection laws may be denied registration or renewal of registration, or face revocation of registration.

With the new law, credit reporting agencies must also comply with the cybersecurity requirements of the DFS. No later than November 1, 2018, credit reporting agencies must implement a cybersecurity program to protect private data of consumers; have written policies approved by the board or a senior officer; designate a Chief Information Security Officer assigned to protect data and systems; and protect consumer data received from third-party vendors. An annual certificate of compliance with the cybersecurity requirements must also be filed with the DFS.

The new law potentially cuts across a wide swath of entities dealing with the private data of consumers, including retail stores, lending institutions and debt collection agencies to the extent that these entities compile, assemble and/or maintain the type of information included in a credit report. Unlike the FCRA, however, this regulation does not define creditors or furnishers of information to credit reporting agencies, much less provide specific provisions as applicable to such entities.

The DFS has proven to be vigilant in monitoring and enforcing New York's regulatory requirements. Because this is a new regulation, we anticipate that DFS will issue further information to clarify its provisions and/or requirements. We shall continue to keep you apprised of regulatory developments to assist you in your compliance efforts.

Download the complete provisions of the new law (PDF)