In the wake of the recent cyberattack on Equifax resulting in the possible disclosure of the personal data of over 150 million consumers, on September 18, 2017, New York State announced the issuance of proposed New York State Department of Financial Services (DFS) regulations that would require consumer credit reporting agencies to register with the DFS.

According to the DFS, these would be the first registration requirements for such credit reporting agencies in the United States. In its statement in support of the proposal, the DFS noted that the “proposed rule is necessary to ensure that consumers and markets are protected from unsafe and unsound practices of any consumer credit reporting agencies and to ensure that those agencies are effectively addressing ever-growing cybersecurity risks.”

The proposed regulation’s requirements include the following:

  • All consumer credit reporting agencies reporting on New York State consumers will be required to register with the DFS
  • Registrations will begin February 1, 2018, and will need to be renewed annually
  • The DFS Superintendent may refuse to renew a registration if in the Superintendent’s judgment, the agency or any of its members, principals, officers or directors are “not trustworthy and competent to act as or in connection with a consumer credit reporting agency”
  • Registered consumer credit reporting agencies will be required to submit to examination by the DFS
  • By July 1 of each year, each registered consumer credit reporting agency must file an information report with the DFS; reports also might be requested quarterly
  • The DFS may suspend or revoke a registration on several grounds, including violating laws or regulations, engaging in fraudulent, coercive or dishonest practices or failing to pay required taxes
  • Generally prohibited acts and practices of persons who report on New York State consumers include directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer, engaging in unfair, deceptive or predatory acts or practices and refusing to communicate with a consumer’s authorized representative

The proposal also would require that the credit reporting agencies comply with the DFS cybersecurity regulations, which recently started to come into effect and include development of a cybersecurity program designed to protect consumers’ private data, establishment of written cybersecurity policies approved by the board or a senior officer and appointment of a Chief Information Security Officer to help protect data and systems.

Comments on the proposal are due by November 18, 2017.