Equifax: The Empire State Strikes Back

Patterson Belknap Webb & Tyler LLP

Yesterday, New York Governor Andrew M. Cuomo announced that he has   directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

The DFS wasted no time following the Governor’s instructions.  The Department announced a proposed regulation that places credit reporting agencies squarely within the purview of the DFS, prohibits them from committing “any unfair” act, and requires them to comply with the DFS cybersecurity regulation.

The proposed regulation—which is subject to the statutory 45-day-reporting and public-comment period—includes a litany of detailed and unprecedented requirements for “consumer credit reporting agencies”:

  • Any agency that “assembles, evaluates, or maintains a consumer credit report on any consumers located in New York State” must “register with” the DFS.  The Superintendent may, in turn, “refuse to renew a consumer credit report agency’s registration” if the “applicant, or any member, principal, officer, or director” is not “trustworthy,” “competent,” or “has filed to comply with any minimum standard.”

  • After notice and a hearing, the DFS may revoke or suspend the registration of a consumer reporting agency that: violated applicable laws or orders; provided materially incorrect, misleading, incomplete or untrue information to the DFS; failed to comply with the new regulation; improperly withheld or misappropriated any monies; committed any “unfair trade practice or fraud”; was convicted of a felony; had its registration denied or revoked in any other state or territory; or failed to pay state income tax.

  • Credit reporting agencies are prohibited from: misleading consumers; engaging in any unfair, deceptive or predatory act;  violating 12 U.S.C. § 5536 (which prohibits, among other things, violations of any federal consumer financial laws); including false information in any consumer report; refusing to communicate with consumers’ representatives; and giving any false information to the DFS or other governmental agencies

  • Finally, every consumer credit reporting agency must comply with the DFS cybersecurity regulation.  Though, the timeline for credit agencies to comply with the regulation is different than other financial institutions.

New York appears to be the first state to respond to the Equifax breach with a new, expansive regulation.  We will continue to monitor and report on the rulemaking process.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.