The New York Times
Gov. Andrew M. Cuomo, responding to the massive security breach at Equifax, will propose regulations on Monday that subject credit reporting agencies to the same rules as banks and insurances companies in order to protect consumers.
The proposal would require companies like Equifax, Experian and TransUnion to register with the state’s Department of Financial Services, whose superintendent will have broad powers to deny or revoke their authorization to do business in the state, or to sue, if a company fails to comply or engages in prohibited practices deemed unfair, deceptive or predatory. Senior administration officials said the proposed regulations would, in effect, make it illegal for unregistered credit reporting agencies to compile reports on consumers in New York or to collect fees from banks for their services.
The move comes after Equifax, based in Atlanta, announced last week that hackers had gained access to sensitive personal information for 143 million consumers and made off with over 200,000 credit card numbers. The episode highlighted gaps in regulation that allow credit reporting agencies to warehouse consumer information like names, addresses and Social Security numbers without rigorous oversight for how that data is collected, protected and used.
Mr. Cuomo said in a statement that the breach was “a wake-up call,” and added that he hoped the regulations will be replicated nationwide.
“A person’s credit history affects virtually every part of their lives and we will not sit idly by while New Yorkers remain unprotected from cyber attacks due to lax security,” he said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in the new frontier of a rapidly changing digital world.”
Under the regulations, credit reporting agencies must register by Feb. 1 each year, using forms that require them to list all officers who will be responsible for compliance. The companies will also be required to comply with cybersecurity regulations that went into effect this spring for financial services providers.
The cybersecurity regulations require financial institutions to implement a program for protecting consumer data. The companies must also appoint or designate a chief information security officer and report breaches, attempted or successful, to the regulator.
Administration officials said they expected the proposal to be adopted within 60 days, after a public comment period has ended.
The information that credit reporting agencies collect hold the keys to Americans’ bank accounts and medical histories. Although the companies sit on a wealth of information, they are not subject to the kind of constant monitoring and auditing that the government uses to secure banks and insurance companies.
The risks were highlighted by the Equifax breach, which led two senior executives responsible for security in information technology to retire on Friday. The company is investigating the scope and cause of the intrusion.
The hackers, who have not been identified, exploited a known security loophole in software that Equifax uses on its website, prompting questions about why the company did not make a fix that could have prevented the attack.
Equifax is facing legal threats and backlash from consumers, investors and policy makers. Attorney General Eric T. Schneiderman is investigating the breach, and at least two class-action lawsuits are pending against the company, whose shares have tumbled 35 percent since Sept. 7.