New York State’s Department of Financial Services (DFS) recently issued a subpoena demanding more information from a national credit reporting agency concerning September’s cyber attack that compromised the sensitive information of up to 145.5 million Americans.
In addition to employing such enforcement options, New York’s Governor, Andrew Cuomo, directed the DFS to issue regulations requiring credit reporting agencies to register with them and comply with New York’s first-in-the-nation cyber security regulation.
Compliance with New York cyber security regulation required as of August 28
New York’s new cyber security standard became effective on March 1, 2017, but only required compliance by financial institutions on August 28, 2017. Consequently, at this time all banks, insurance companies and other DFS-regulated financial services institutions must have —
- A cyber security program designed to protect consumers’ private data;
- A written cyber security policy or policies approved of by the board or a senior officer;
- An official Information Security Officer focused on protecting data and systems; and
- Controls and plans in place for the protection of the safety and soundness of New York’s financial services industry.
Delay in notification sparks criticism
September’s cyber attack engendered significant criticism given that it is believed hackers gain unauthorized access to very sensitive consumer and commercial data by exploiting a known website application vulnerability.
The agency is also under fire for waiting over a month to make the breach public. Governor Cuomo’s new regulations seek to address such issues by requiring credit reporting agencies to register with the state by February 1, 2018 and comply with the state’s strict cyber security standard, including a requirement to report known cyber breaches within 72 hours.
A reportable cyber security event falls into at least one of the following categories:
- It impacts the covered entity and the entity is required to provide notice to any government body, self-regulatory agency or any other supervisory body; or
- It has a reasonable likelihood of materially harming any material part of the covered entity’s normal operation(s).
DFS authorized to revoke right to do business in state
In addition, the new rules would prohibit outright fraud, as well as prohibit companies from omitting material information from a person’s credit report or reporting inaccurate information.
They also would authorize the state to deny the renewal of a consumer credit reporting company’s registration if the DFS superintendent considers the applicant untrustworthy or incompetent.
This would effectively revoke a credit reporting agency’s authorization to report on anyone located in New York State.