Skip to Content

NY Seeks to Extend Cybersecurity Rules to Credit Reporting Agencies

Thu 12 Oct, 2017  /  by McIntyre & Lemon  /   Legislative Updates

10/12/17 – New York Department of Financial Services (DFS) issued new proposed regulations which would require credit reporting agencies to register with DFS and comply with New York’s cybersecurity standard.

In a press release, the DFS published the proposed regulations that would place obligations on consumer credit reporting agencies in light of the recent Equifax breach. The proposed regulatrions would also provides DFS the authority to deny and potentially revoke a consumer credit reporting agency’s authorization to do business with New York’s regulated financial institutions and consumers if the agency is found to be out of compliance with the financial services, banking, and insurance laws, and regulations, including engaging in unfair, deceptive, or predatory practices.

Under the proposed regulation, all consumer credit reporting agencies that operate in New York must register annually with DFS beginning on or before February 1, 2018 and by February 1 of each successive year for the calendar year thereafter.  The registration form must include an agency’s officers or directors who will be responsible for legal compliance.

The proposed regulation also subjects consumer credit reporting agencies to examinations by DFS and prohibits the agencies from doing the following:

  • Directly or indirectly employing any scheme, device, or artifice to defraud or mislead a consumer.
  • Engaging in any unfair, deceptive, or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State.
  • Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
  • Including inaccurate information in any consumer report relating to a consumer located in New York State.
  • Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
  • Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.

In addition, the proposed regulation would require credit reporting agencies to comply with DFS’s cybersecurity regulation starting April 4, 2018. DFS’s cybersecurity regulation requires banks, insurance companies, and other financial services institutions regulated by DFS to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

Comments on the proposed regulation may be submitted until November 20, 2017 to:

Eamon Rock, Esq.
New York State Department of Financial Services
One Commerce Plaza
Albany, NY 12257
(518) 474- 4567
email: until

DFS Press Release; Proposed Regulation.