Credit agencies must follow New York cyber guidelines following Equifax

In response to the Equifax Inc. data breach, New York’s Department of Financial Services issued a regulation Monday that requires consumer credit reporting agencies with significant New York operations to register with the department and comply with New York’s cyber security standard.

The department said in a statement Monday that consumer credit reporting agencies that reported on at least 1,000 New York consumers in the preceding year must register annually with the department beginning on or before Sept. 2, 2018 Sept. 1, and by Feb. 2 Feb. 1of each successive year for the calendar year thereafter.

The annual reporting obligation provides the department’s superintendent with the authority to deny, suspend and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices including engaging in unfair, deceptive or predatory practices, the statement said.

The agencies must also comply with the department’s cyber security regulation beginning in Nov. 1, 2018. The regulation requires banks, insurers and other financial services institutions regulated by the department to have a cyber security program in place. 

Equifax said in September that hackers had stolen personally identifiable information of U.S., British and Canadian consumers. It later confirmed that information on about 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, 99 million addresses and 209,000 payment card numbers and expiration dates was stolen in the cyber security incident.