Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.