NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation
The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.
The new regulation became effective upon the publication of a Notice of Adoptionby the NYDFS in the State Register on July 3, 2018. Its definitions of “consumer credit report” and “consumer credit reporting agency” closely track the definitions of, respectively, the terms “consumer report” and “consumer reporting agency” in the FCRA. However, the term “consumer credit report” is limited to “a consumer report…bearing on a consumer’s credit worthiness, credit standing, or credit capacity.” Similarly, the term “consumer credit reporting agency” is limited to “a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining [information from furnishers] for the purpose of furnishing consumer credit reports to third parties.” The term “New York consumer” is defined as “an individual who is a resident of New York State as reflected in the most recent information in the possession of a [CCRA].”
A CCRA must register with the NYDFS if “within the previous 12-month period, [it] has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers.” Every CCRA “that is required to register…at any time between June 1, 2018 and September 1, 2018” must register by September 15, 2018. Registration must be renewed by February 1, 2019 for the 2019 calendar year and by February 1 of each year thereafter.
The regulation prohibits a CCRA that is required to be registered and has not done so from engaging in the business of a CCRA in New York by furnishing a consumer credit report on a New York consumer to any individual or entity. It also prohibits any “regulated person” from paying “any fee or other compensation” or transmitting any information about a New York resident to a CCRA that is required to be registered and has not done so. A “regulated person” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
A CCRA that is required to register with the NYDFS must comply with all material provisions of the NYDFS cybersecurity regulation. The NYDFS has established different compliance deadlines for particular requirements of the cybersecurity regulation. Each registered CCRA must comply with the following provisions by November 1, 2018:
- Cybersecurity Program — § 500.02
- Cybersecurity Policy — § 500.03
- Chief Information Security Officer — § 500.04(a)
- Access Privileges — § 500.07
- Cybersecurity Personnel & Intelligence — § 500.10
- Incident Response Plan — § 500.16
- Notices to Superintendent — § 500.17
CCRAs that must register will be entitled to the confidentiality protections of cybersecurity regulation (§ 500.18) as of November 1, 2018, which is also the date on which the NYDFS will begin enforcement of the cybersecurity regulation against CCRAs. As to enforcement, the new regulation also expressly prohibits registered CCRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer that is prohibited by any federal law, or by any New York State law that is not preempted by federal law,” or engaging in “any unfair, deceptive, or abusive act or practice in violation of section 1036 of the [Dodd-Frank Act].”
Each registered CCRA must comply with the following provisions by February 28, 2019:
- CISO Report to the Board of Directors — § 500.04(b)
- Penetration Testing & Vulnerability Assessments — § 500.05
- Risk Assessment — § 500.09
- Multi-factor Authentication — § 500.12
- Training & Monitoring — § 500.14(a)(2) — Because Section 500.14 does not contain a subsection (a)(2), we suspect the NYDFS meant to reference the training requirement contained in Section 500.14(b).
Each registered CCRA must comply with the following provisions by August 31, 2019:
- Audit Trail — § 500.06
- Application Security — § 500.08
- Limitations on Data Retention — § 500.13
- Training & Monitoring — § 500.14(a)(1) — Because Section 500.14 does not contain a subsection (a)(1), we suspect the NYDFS meant to reference the monitoring requirement contained in Section 500.14(a).
- Encryption of Nonpublic Information — § 500.15
Finally, each registered CCRA must comply with the following provision by December 31, 2019:
- Third Party Service Provider Security Policy — § 500.11
In directing the NYDFS to issue the new CCRA regulation, Governor Cuomo stated: “As the federal government weakens consumer protections, New York is strengthening them with these new standards. Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber-attacks, providing them with peace of mind about their financial future.”