On September 18, New York Governor Andrew Cuomo issued a press release directing the New York Department of Financial Services to impose new rules on consumer reporting agencies (“CRAs”). The new regulation would require CRAs to register with New York for the first time and comply with the state’s cybersecurity standard. The standard – which goes into effect on April 4, 2018 – requires every CRA to have a cybersecurity program designed to protect private data of consumers, a written policy approved by the board or a senior officer, a Chief Information Security Officer (CISO) to protect data and systems, and controls and plans in place to help ensure the safety of New York’s financial services industry.
“A person’s credit history affects virtually every part of their lives and we will not sit idly by while New Yorkers remain unprotected from cyberattacks due to lax security,” Cuomo stated in the NYDFS press release. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world.”
Under the proposed regulation, all CRAs that operate in New York must register annually with the NYDFS beginning on or before February 1, 2018, and by February 1 of each successive year for the calendar year thereafter. The registration form must include an agency’s officers or directors who will be responsible for compliance with financial services, banking, and insurance laws and regulations.
The proposed regulation also subjects CRAs to examinations by the NYDFS as often as the Superintendent determines is necessary, and prohibits the following:
- Directly or indirectly employing any scheme, device, or artifice to defraud or mislead a consumer;
- Engaging in any unfair, deceptive, or predatory act or practice toward any consumer or misrepresenting or omitting any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State;
- Engaging in any unfair, deceptive, or abusive act or practice in violation of § 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act;
- Including inaccurate information in any consumer report relating to a consumer located in New York State;
- Refusing to communicate with an authorized representative of a consumer located within New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer; and
- Making any false statement or making any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent of another governmental agency.
The proposed regulation would empower NYDFS to suspend or revoke a CRA’s registration based not only on the bad acts of a CRA itself but also on those of individual members, principals, officers, directors, or controlling persons at the CRA.
NYDFS is expected to release an official version for public comment in the coming weeks. CRAs located in New York should strongly consider participating in this rulemaking process.
Troutman Sanders will continue to monitor these developments and will provide further updates as they become available.