Equifax Inc., Experian Inc., and TransUnion will have to comply with New York’s financial sector cybersecurity rules as of Nov. 1, after the state moved to police the credit reporting companies’ data security woes.
The New York Department of Financial Services moved to put the credit bureaus under its rules because of the massive 2017 data breach at Equifax and smaller ones at Experian in 2013. The rules will also help impose more cybersecurity requirements on credit bureaus handling some of the most sensitive consumer data, such as Social Security numbers.
“The decision to make credit reporting agencies subject to the NYDFS cybersecurity regulation clearly stems from last year’s data breach suffered by Equifax, which was roundly criticized both for being hacked and for its public disclosure and consumer notification efforts after the fact,” Keith Gerver, senior white collar defense and investigations associate at Cadwalader Wickersham & Taft LLP in Washington, told Bloomberg Law.
In her June statement announcing the expansion of the rules to cover credit bureaus, New York DFS Superintendent Maria Vullo said the “first-in-the-nation” rules were intended “to to safeguard New York’s markets, consumers and sensitive information from cyberattacks.” Credit reporting bureaus that cover over 1,000 New York consumers will have new regulatory requirements under the rules.
Reporting bureaus will have to register with the state and provide business operation details, and identify a corporate official who is legally responsible for complying with the rules. They will have to recertify with the NYDFS each February.
Equifax and TransUnion didn’t immediately respond to Bloomberg Law’s email requests for comments. Experian said in a statement it is “vigilant when it comes to data security and we are in full compliance with New York Department of Financial Services regulations concerning cybersecurity.”
Strict Breach Window: Among the strictest of the new rules is a requirement that the bureaus notify the department of a breach within 72 hours.
“This deadline, which mirrors that of the GDPR, means that covered entities may need to make notification to the regulator even before many of the details of the breach have been investigated and assessed,” said Gerver, in a reference to the EU’s General Data Protection Regulation.
Credit reporting bureaus may have to spend plenty of time and resources to update their incident response policies to comply with that notification requirement, Robert Braun, co-chair of the cybersecurity and privacy group at Jeffer Mangels Butler & Mitchell LLP in Los Angeles, told Bloomberg Law. “A lot of credit bureaus will have to go back and amend their policies to make it specific to New York,” he said. Others may amend their policies to make it easier to adopt to other state regulations that may change to adapt to New York’s standards, Braun said.
Enforcement Ahead? The bureaus aren’t allowed to engage in conduct harmful to consumers under the rules, and to be available to regulators for internal investigations. Once the cybersecurity rules are in place, New York regulators will likely be aggressive about enforcing them, attorneys said. “It is difficult to imagine that DFS will not take the opportunity to make an example of a credit reporting agency that fails to abide by its new obligations,” Gerver said. The NYDFS also has a long history of taking strong actions for non-compliance with its other rules, Braun said. “It certainly ratchets up the consequences of not complying for Equifax, Experian, and TransUnion,” Braun said.
Source: Bloomberg Law