November 30, 2022

Volume XII, Number 334


November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.

The new regulation became effective upon the publication of a Notice of Adoptionby the NYDFS in the State Register on July 3, 2018.  Its definitions of “consumer credit report”  and “consumer credit reporting agency” closely track the definitions of, respectively, the terms “consumer report” and “consumer reporting agency” in the FCRA.  However, the term “consumer credit report” is limited to “a consumer report…bearing on a consumer’s credit worthiness, credit standing, or credit capacity.”  Similarly, the term “consumer credit reporting agency” is limited to “a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining [information from furnishers] for the purpose of furnishing consumer credit reports to third parties.”  The term “New York consumer” is defined as “an individual who is a resident of New York State as reflected in the most recent information in the possession of a [CCRA].”


A CCRA must register with the NYDFS if “within the previous 12-month period, [it] has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers.”  Every CCRA “that is required to register…at any time between June 1, 2018 and September 1, 2018” must register by September 15, 2018.  Registration must be renewed by February 1, 2019 for the 2019 calendar year and by February 1 of each year thereafter.

The regulation prohibits a CCRA that is required to be registered and has not done so from engaging in the business of a CCRA in New York by furnishing a consumer credit report on a New York consumer to any individual or entity.  It also prohibits any “regulated person” from paying “any fee or other compensation” or transmitting any information about a New York resident to a CCRA that is required to be registered and has not done so.  A “regulated person” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”


A CCRA that is required to register with the NYDFS must comply with all material provisions of the NYDFS cybersecurity regulation.  The NYDFS has established different compliance deadlines for particular requirements of the cybersecurity regulation.  Each registered CCRA must comply with the following provisions by November 1, 2018:

  • Cybersecurity Program — § 500.02
  • Cybersecurity Policy — § 500.03
  • Chief Information Security Officer — § 500.04(a)
  • Access Privileges — § 500.07
  • Cybersecurity Personnel & Intelligence — § 500.10
  • Incident Response Plan — § 500.16
  • Notices to Superintendent — § 500.17

CCRAs that must register will be entitled to the confidentiality protections of cybersecurity regulation (§ 500.18) as of November 1, 2018, which is also the date on which the NYDFS will begin enforcement of the cybersecurity regulation against CCRAs.  As to enforcement, the new regulation also expressly prohibits registered CCRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer that is prohibited by any federal law, or by any New York State law that is not preempted by federal law,” or engaging in “any unfair, deceptive, or abusive act or practice in violation of section 1036 of the [Dodd-Frank Act].”

Each registered CCRA must comply with the following provisions by February 28, 2019:

  • CISO Report to the Board of Directors — § 500.04(b)
  • Penetration Testing & Vulnerability Assessments — § 500.05
  • Risk Assessment — § 500.09
  • Multi-factor Authentication — § 500.12
  • Training & Monitoring — § 500.14(a)(2) — Because Section 500.14 does not contain a subsection (a)(2), we suspect the NYDFS meant to reference the training requirement contained in Section 500.14(b).

Each registered CCRA must comply with the following provisions by August 31, 2019:

  • Audit Trail — § 500.06
  • Application Security — § 500.08
  • Limitations on Data Retention — § 500.13
  • Training & Monitoring — § 500.14(a)(1) — Because Section 500.14 does not contain a subsection (a)(1), we suspect the NYDFS meant to reference the monitoring requirement contained in Section 500.14(a).
  • Encryption of Nonpublic Information — § 500.15

Finally, each registered CCRA must comply with the following provision by December 31, 2019:

  • Third Party Service Provider Security Policy — § 500.11

In directing the NYDFS to issue the new CCRA regulation, Governor Cuomo stated: “As the federal government weakens consumer protections, New York is strengthening them with these new standards.  Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber-attacks, providing them with peace of mind about their financial future.”

Copyright © by Ballard Spahr LLPNational Law Review, Volume VIII, Number 188

About this Author

Edward McAndrew, Ballard Spahr, Philidelphia, Washington DC, Data Security, Privacy

Edward J. McAndrew is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is the Co-Practice Leader of the firm's Privacy and Data Security Group.

Named a "Cybersecurity and Data Privacy Trailblazer" by The National Law Journal, Mr. McAndrew advises clients on cybersecurity, digital privacy, cyber-incident response, social media, online speech, defamation, commercial, employment, intellectual property, corporate governance, regulatory, and criminal matters. He also advises clients on cyber-based national security issues, as...

James Kim, Ballard Spahr Law Firm, Los Angeles, Financial Law Litigation Attorney
Of Counsel

Mr. Kim advises companies and individuals in matters involving financial regulation and litigation, and the myriad of federal consumer financial laws, such as Title X of Dodd-Frank (UDAAP), TILA, RESPA, EFTA, and the FDCPA. He has represented clients in examinations and investigations with the Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), U.S. Department of Justice (DOJ), U.S. Securities and Exchange Commission (SEC), and various state and local agencies. His practice focuses on...

Culhane, Ballard, Partner

John L. Culhane, Jr., is known for his work advising on interstate direct and indirect consumer and residential mortgage loan and leasing programs, through both traditional brick-and-mortar facilities and e-commerce. Before joining Ballard Spahr, Mr. Culhane was associate counsel with Mellon Bank, N.A.; associate counsel with Bank of America NT&SA; and senior attorney (section chief) with the National Credit Union Administration, the federal agency regulating federal credit unions.

Mr. Culhane addresses issues involving licensing,...