In light of the recent massive data breach at the credit reporting company Equifax, New York Governor Andrew Cuomo’s administration is taking steps to make sure that in the future, the credit agencies have better cybersecurity in place.
As Cuomo explained on WNYC’s The Brian Lehrer Show, banks and insurance companies are required to have cybersecurity protections in place when handling customer’s sensitive data, like social security numbers and credit history. But credit reporting companies are not required to have the same kind of security against potential data hackers.
“Credit reporting agencies are nowhere. They just have no regulation and they really fell in this loophole. And they have very sensitive information,” Cuomo said.” You push it a little further and its identity theft, right?”
Cuomo says he’s directed the Department of Financial Services to require credit reporting agencies to register with New York beginning in February 2018. They would also have to comply with the state’s new stricter cybersecurity requirements for banks and other lending institutions, which just took effect this past August.
The Department of Financial Services has the power, under the proposed new rules, to deny and potentially revoke a consumer credit reporting agency’s authorization to do business with banks and insurance companies in New York if a credit agency doesn’t obey the new regulations.
“What we're saying is credit reporting agencies should be regulated the same way we regulate banks and credit institutions,” Cuomo said. “They have to have cyber protections in place.”
Cuomo says the power of credit reporting agencies has grown over the past couple of decades, without corresponding oversight. And he says the Equifax breach is a “wake up call."
Meanwhile, the state Department of Financial Services is urging banks, credit unions and loan providers to carefully check applicants’ information, using ID theft prevention and fraud programs, to make sure it is legitimate. And the agency is urging lenders to double check any information they receive from Equifax credit reports, to be careful about any personal information on customers that they send to Equifax. It also recommends that banks and credit card companies set up a call center for customers to report if their information has been hacked, so that their accounts can be coded or “red flagged” for protection against potential fraud.
The new rules won’t do anything to remedy the data breach that has compromised the credit histories and personal information of 143 million Americans. The Department of Financial Services says consumers potentially affected by any type of cybersecurity breach should consider placing a “fraud alert” or “credit freeze” on their credit files.