Equifax Breach Spurs Effort to Extend NY Cybersecurity Regulations to Credit Reporting Agencies
In the wake of the massive data breach involving Equifax, New York Gov. Andrew Cuomo announced he wants to extend the state’s new cybersecurity regulations to cover credit reporting agencies. The state’s cybersecurity and data protection rules, which currently apply to banks, insurance companies, and other financial institutions, are among the most comprehensive in the country.
As readers are most certainly aware, Equifax recently announced that a data breach may have impacted 143 million U.S. consumers, putting their Social Security numbers, birth dates, addresses, and some driver’s license numbers at risk. Not surprisingly, the breach has triggered investigations by state and federal agencies, as well as private lawsuits by consumers. In New York, it may also prompt new regulations.
DFS Cybersecurity Regulations
New York’s Department of Financial Services’ (DFS) cybersecurity regulations took effect on March 1, 2017. Pursuant to 23 NYCRR Part 500, financial service companies must “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The programs must address five key areas: identification of cyber risks; implementation of policies and procedures to protect unauthorized access/use or other malicious acts; detection of cybersecurity events; responsiveness to identified cybersecurity events to mitigate any negative events; and recovery from cybersecurity events and restoration of normal operations and services.
The cybersecurity requirements for financial services companies also mandate that covered entities implement cybersecurity policies that are tailored to their unique risks and needs. Covered entities must also appoint a chief information security officers to implement and enforce such policies. Other requirements under the regulation include: adopting policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties; requiring multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access; drafting an incident response plan to recover from any cybersecurity event; and conducting annual penetration testing and vulnerability assessments.
Proposed Regulations for Credit Reporting Agencies
A proposed regulation has already been introduced in New York that would bring credit reporting companies under the purview of the state’s new cybersecurity rules and require them to register with the state. In support of the need to increase oversight over credit reporting agencies, the regulation cites several “deficient practices” including (1) the failure of consumer credit reporting agencies to safeguard consumer data; (2) the failure of consumer credit reporting agencies to maintain accurate consumer credit data; and (3) the failure of consumer credit reporting agencies to appropriately investigate consumer disputes of alleged inaccuracies in credit reports.
“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyber attacks and other nefarious acts in this rapidly changing digital world” Gov. Cuomo said in a statement. “The Equifax breach was a wake-up call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulation, the term “consumer reporting agency” means “any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports or investigative consumer reports to third parties.” Below are several other key provisions proposed:
Registration: Consumer credit reporting agencies reporting on any consumers located in the State of New York would be required to register with the Superintendent of Financial Services (Superintendent). Registration would be required by February 2018. Going forward, consumer credit reporting agencies would be subject to examination. In addition, the superintendent would be authorized to refuse to renew a consumer credit reporting agency’s registration “if, in the superintendent’s judgment, the applicant or any member, principal, officer or director of the applicant, is not trustworthy and competent to act as or in connection with a consumer credit reporting agency, or that any of the foregoing has given cause for revocation or suspension of such registration, or has failed to comply with any minimum standard.”
Prohibited Practices: The regulation would prohibit credit agencies from engaging in certain practices. They would include: directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer; engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State; and including inaccurate information in any consumer report relating to a consumer located in New York State. If found to have engaged in prohibited practice or otherwise violated the regulation, the superintendent could refuse to renew, revoke, or may suspend the credit reporting agency’s registration.
Cybersecurity Compliance: Consumer credit reporting agencies would be considered a “covered entity” under the state’s financial cybersecurity rules.
Compliance with various provisions would be phased in over time, with full compliance set for October 4, 2019.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work.
The SEC’s Latest Guidance on Applying Federal Securities Laws to Tokenized Securities
On January 28, 2026, staff of the U.S. Securities and Exchange Commission’s Divisions of Corporation Finance, Investment Management, and Trading and Markets issued a joint statement clarifying how existing federal securities laws apply to tokenized securities. The SEC’s “Statement on Tokenized Securities” does not establish new law, but it does provide greater clarity on the […]
Common Legal Mistakes NYC and New Jersey Business Owners Make
Operating a business in the New Jersey and New York City metropolitan region offers incredible opportunities, but it also requires navigating a dense and highly regulated legal environment. From entity formation to regulatory compliance, seemingly minor legal oversights can expose business owners to significant risk. In our work with businesses throughout the region, our attorneys […]
High-profile founder litigation is more than just a media spectacle. For startup founders, these cases underscore the legal and structural risks that can arise when rapid growth outpaces formal oversight. While launching a new company can be both an exciting and deeply rewarding endeavor, founders must be mindful that it also comes with significant risks. […]
Corporate Governance Reviews: A Practical Guide for New Jersey Companies
Every New Jersey company should periodically evaluate its governance framework. Strong corporate governance protects directors and officers, builds investor confidence, reduces litigation exposure, and positions a company for sustainable growth. The first quarter of the year is a great time to evaluate your corporate governance practices and perform any routine maintenance needed to keep that […]
What to Do After Being Served with a Lawsuit: Steps to Protect Your Legal Rights
Being served with a lawsuit is one of the most stressful legal events a business or individual can face. Whether the claim involves a contract dispute, an employment matter, an intellectual property issue, or another legal challenge, the actions you take in the first few days can significantly shape the outcome of your case. Acting […]
Will 2026 Be a Banner Year for SPACs? Understanding the Risks and Opportunities
Special Purpose Acquisition Companies (SPACs) continue to gain momentum as we move through 2026. After enduring a significant contraction following the 2021 boom and the regulatory scrutiny that followed, SPAC activity rebounded sharply in 2025 and now carries forward into 2026 with real momentum. The SPAC resurgence reflects broader improvements in both market conditions and the […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
