Credit reporting agency agrees to cybersecurity corrective action with eight state regulators
On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.
The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).