Vacation is Canceled!: Consumer Reporting Agencies Must Satisfy First-in-the-Nation N.Y. Cybersecurity Regulations by the Fall

On June 25, 2018, the New York Department of Financial Services (“NYDFS”) issued a final regulation (the “Regulation”) requiring consumer reporting agencies with “significant operations” in New York to (1) register with NYDFS for the first time and (2) comply with the NYDFS’s cybersecurity regulation. Under the Regulation, consumer reporting agencies that reported on 1,000 or more New York consumers in the preceding year are subject to these requirements, and must register with NYDFS on or before September 1, 2018.

The deadline for consumer reporting agencies to come into compliance with the cybersecurity regulation is November 1, 2018. Thereafter, they must register annually by “February 1 of each successive year for the calendar year thereafter.” In connection with these regulations, the NYDFS Superintendent will have the authority to deny, suspend and potentially revoke a consumer credit reporting agency's authorization to do business with New York's regulated financial institutions and consumers.

Governor Andrew Cuomo stated that New York will seek to establish “new standards” to create first-in-the-nation regulations to strengthen consumer protections from potential data breaches. In the same statement, Financial Services Superintendent Maria T. Vullo expressed a desire to strengthen consumer protections by further regulating the cyber readiness of the credit reporting industry.