After Equifax, New York takes steps to protect consumers against future data hacks

Sep 19, 2017

In light of the recent massive data breach at the credit reporting company Equifax, Gov. Andrew Cuomo’s administration is taking steps to make sure that in the future, the credit agencies have better cybersecurity in place.


Credit Equifax.com

As Cuomo explained on WNYC’s The Brian Lehrer Show, banks and insurance companies are required to have cybersecurity protections in place when handling customer’s sensitive data, like Social Security numbers and credit history. But credit reporting companies are not required to have the same kind of security against potential data hackers.

“Credit reporting agencies are nowhere. They just have no regulation and they really fell in this loophole. And they have very sensitive information,” Cuomo said.” You push it a little further and its identity theft, right?”

Cuomo said he’s directed the Department of Financial Services to require credit reporting agencies to register with New York beginning in February. They also would have to comply with the state’s new stricter cybersecurity requirements for banks and other lending institutions, which just took effect in August.

The Department of Financial Services has the power, under the proposed new rules, to deny and potentially revoke a consumer credit reporting agency’s authorization to do business with banks and insurance companies in New York if a credit agency doesn’t obey the new regulations. 

“What we're saying is credit reporting agencies should be regulated the same way we regulate banks and credit institutions,” Cuomo said. “They have to have cyberprotections in place.”

Cuomo said the power of credit reporting agencies has grown over the past couple of decades without corresponding oversight. And he said the Equifax breach is a “wake-up call.”

Meanwhile, the state Department of Financial Services is urging banks, credit unions and loan providers to carefully check applicants’ information, using ID theft prevention and fraud programs, to make sure it is legitimate.

The agency also is urging lenders to double-check any information they receive from Equifax credit reports and to be careful about any personal information on customers that they send to Equifax. It also recommends that banks and credit card companies set up a call center for customers to report if their information has been hacked, so that their accounts can be coded or “red-flagged” for protection against potential fraud.

The new rules won’t do anything to remedy the data breach that has compromised the credit histories and personal information of 143 million Americans. The Department of Financial Services said consumers potentially affected by any type of cybersecurity breach should consider placing a “fraud alert” or “credit freeze” on their credit files.