Equifax hack extends oversightReprints
New York Gov. Andrew Cuomo extended the regulations in Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York to credit reporting agencies in the wake of the Equifax Inc. breach on Sept. 18.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyber attacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wake-up call, and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation,” Gov. Cuomo said in a statement at the time.
Consumer credit reporting agencies that operate in New York must register annually with the state’s Department of Financial Services beginning on or before Feb. 1, 2018, and by Feb. 1 of each successive year for the calendar year thereafter.
Further, every credit reporting agency must also comply with the department’s cyber security regulation on a phased-in schedule of compliance beginning April 4, 2018.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cyber security actions,” said Financial Services Superintendent Maria T. Vullo in New York. “This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals.”
The move was a positive and even necessary step, according to one New York technology consultant.
“I think for the optics and the substance, credit reporting companies have to be included,” said Scott Corzine, senior managing director with Ankura Consulting Group L.L.C. in New York. “These are companies that provide stewardship over vast amounts of highly personal data in a way that is aggregated and concentrated.”