New York Issues Cybersecurity Regulation for Credit Reporting Agencies

The regulations from the state’s Department of Financial Services mirror cybersecurity standards for financial services companies implemented in 2017.

6/28/2018 12:30 PM

News
New York Issues Cybersecurity Regulation for Credit Reporting Agencies

The New York Department of Financial Services (DFS) is implementing new cybersecurity regulations for credit reporting agencies in an effort to protect consumers from data breaches—largely in response to the 2017 breach experienced at Equifax.

New York Gov. Andrew Cuomo said in a news release that the new regulation, incorporating public comments, mandates credit reporting agencies with “significant operations” in the state to register with the DFS and comply with the new cybersecurity standards.

The New York Times also reports that seven other states issued new data security rules for Equifax to comply with, such as conducting security audits at a minimum once per year and written data protection policies and guides.

The requirements in New York mirror those implemented in the state last year in which financial services companies regulated by the DFS, such as banks and insurance companies, were required to follow cybersecurity standards to protect consumers’ private data, ACA International previously reported.

Under the new regulation, according to the New York DFS: “all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before Sept. 1, 2018, and by Feb. 1 of each successive year for the calendar year thereafter.”

In addition, every credit reporting agency must comply with the department's cybersecurity regulation, beginning Nov. 1, 2018, pursuant to the time table included in the final regulation. Compliance dates for various stages of the regulation include February, August and December 2019.

The regulation, according to the DFS, includes:

  • A cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer;
  • A Chief Information Security Officer to help protect data and systems; and
  • Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

The DFS cybersecurity regulation also requires the protection of data from third-party vendors and an annual certificate of compliance filed with the DFS.

A copy of the final regulation is available through the New York governor’s website.

Related Content from ACA International:

New York State Department of Financial Services Issues Cybersecurity Regulations

From Collector: Taking a Layered Approach: What the Equifax breach can teach you about shoring up your company’s data security.


Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.


Subscribe to ACA Daily NEWSROOM

New York Issues Cybersecurity Regulation for Credit Reporting Agencies

The New York Department of Financial Services (DFS) is implementing new cybersecurity regulations for credit reporting agencies in an effort to protect consumers from data breaches—largely in response to the 2017 breach experienced at Equifax.

New York Gov. Andrew Cuomo said in a news release that the new regulation, incorporating public comments, mandates credit reporting agencies with “significant operations” in the state to register with the DFS and comply with the new cybersecurity standards.

The New York Times also reports that seven other states issued new data security rules for Equifax to comply with, such as conducting security audits at a minimum once per year and written data protection policies and guides.

The requirements in New York mirror those implemented in the state last year in which financial services companies regulated by the DFS, such as banks and insurance companies, were required to follow cybersecurity standards to protect consumers’ private data, ACA International previously reported.

Under the new regulation, according to the New York DFS: “all consumer credit reporting agencies that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before Sept. 1, 2018, and by Feb. 1 of each successive year for the calendar year thereafter.”

In addition, every credit reporting agency must comply with the department's cybersecurity regulation, beginning Nov. 1, 2018, pursuant to the time table included in the final regulation. Compliance dates for various stages of the regulation include February, August and December 2019.

The regulation, according to the DFS, includes:

  • A cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer;
  • A Chief Information Security Officer to help protect data and systems; and
  • Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

The DFS cybersecurity regulation also requires the protection of data from third-party vendors and an annual certificate of compliance filed with the DFS.

A copy of the final regulation is available through the New York governor’s website.

Related Content from ACA International:

New York State Department of Financial Services Issues Cybersecurity Regulations

From Collector: Taking a Layered Approach: What the Equifax breach can teach you about shoring up your company’s data security.


Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.


Subscribe to ACA Daily NEWSROOM

Loading...

Loading...

Scroll to Top