[BreachExchange] And Now, In Recent New York Cybersecurity Action…

[Audrey McNeil]

http://www.jdsupra.com/legalnews/and-now-in-recent-new-york-54950/

New York State Governor Andrew Cuomo and the New York State Department of
Financial Services (“DFS”) have been busy on the cybersecurity front. In a
press release on September 18, 2017, building upon the state’s pride in its
“first-in-the-nation” cybersecurity regulations that were passed earlier
this year, (which we previously discussed on our blog and in our articles
Getting Prepared for the New York Department of Financial Services’
Proposed Cybersecurity Regulations, and New York Releases Revised Proposed
Cybersecurity Regulations) the Governor directed that new regulations be
put in place to require consumer credit reporting agencies to register with
DFS (thus making them an entity subject to the DFS cybersecurity
regulations). The Governor’s press release stated “[o]versight of credit
reporting agencies will help ensure that personal information is less
vulnerable to cyberattacks and other nefarious acts in this rapidly
changing digital world.”

The proposed regulations are entitled “Registration Requirements &
Prohibited Practices for Credit Reporting Agencies” and would be codified
in a new Part 201 to Title 23 of the New York Code of Rules and Regulations
(the “NYCRR” as it is commonly known). As noted in the introduction to
proposed Part 201, the regulations would address not only safeguarding
data, but also failures to maintain accurate data and to investigate a
complaint made by a consumer about allegedly incorrect information in a
credit report.

Under the proposed regulations, consumer credit reporting agencies (those
entities that regularly provide information pertaining to a consumer’s
credit, or public record information and credit account information –
defined as “consumer credit reports”) must register with DFS no later than
February 1, 2018 (and earlier if they will provide consumer credit reports
prior to February 1, 2018), and then renew on an annual basis by each
February 1st.   Unregistered entities are not authorized to assemble or
maintain a consumer credit report – and other entities that are regulated
by DFS (such as banks or insurance companies) cannot provide information to
unregistered entities nor pay them any fees.

The proposed regulations have fairly broad information reporting
requirements, requiring the consumer credit reporting agency to provide a
sworn report with “the information requested by the Superintendent” and to
allow DFS to make “any inquiry in relation to the assembly, evaluation, or
maintenance of any consumer credit report on any consumers located in New
York.” If a consumer credit reporting agency violates any insurance,
financial services or banking laws, DFS regulations (or those of other
states), provides materially incorrect information or commits similar
nefarious acts, the agency’s registration may be revoked or suspended.
Finally, the proposed regulations deem consumer credit reporting agencies
“Covered Entities” and expressly subject to the DFS cybersecurity
regulations.

The principal consumer credit bureaus are not based in New York – so it
will be interesting to see if they oppose the proposed regulations.

In its press release on the same day, DFS announced guidance to its
regulated institutions with respect to cybersecurity measures. DFS
recommended that entities implement several steps, including installing all
IT and information security patches and following up on ID theft and fraud
prevention measures. The Department also provided a reminder about the
provisions in the DFS cybersecurity regulations which apply to third-party
service providers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171010/af46dd0d/attachment.html>