In the latest response to the Equifax data breach, Governor Cuomo announced that the New York Department of State (DOS) adopted new regulations establishing the Identity Theft Prevention and Mitigation Program (the “Program”). The DOS’s Division of Consumer Protection (the Division) is responsible for implementing the Program and enforcing the regulation, which was adopted on an emergency basis and effective immediately. This DOS emergency regulation is in addition to the pending expansion to the Department of Financial Service (DFS) regulation, which initially took effect in 2017, requiring credit reporting agencies to register with the DFS and comply with the cybersecurity regulations.
The Division is generally responsible for coordinating the consumer protection activities of all state agencies. The emergency regulation now tasks them with implementing the Program in order to: 1) inform consumers about how to protect their personal information; 2) help consumers prevent identity theft, including how to respond in order to protect their identities once personal information has been compromised, and 3) help consumers mitigate issues after identity theft has occurred. While these initiatives may be benign, the emergency regulation also creates new obligations for Consumer Credit Reporting Agencies (CCRAs). For the first time, CCRAs will be subject to filing obligations with DOS. The emergency regulation broadly states that “[e]ach [CCRA] operating within the State shall file with [DOS] such information as the Division finds necessary to effectively administer the Program.” At a minimum, this filing shall consist of:
- The name of the CCRA and any principals and officers;
- A point of contact who will be responsible for
- communicating with the Division and be available to the Division within 24 hours’ notice of a security breach;
- responding to requests for information from the Division within 10 days of receipt of such requests;
- Contact information to be disclosed to consumers, including the CCRA’s web address, telephone number and an email address;
- A list of all proprietary products offered to consumers for identity theft protection and detailed product information;
- A list of all business affiliations and contractual relationships that relate to products or services advertised to consumers for identity theft protection; and
- The CCRA’s DUNNs number.
Finally, the regulation requires CCRAs to disclose any fees associated with products or services marketed to consumers as identity theft protection.
The emergency regulation would also likely impose penalties on entities that fail to comply, but that information was not immediately available. It also appears that although the emergency regulation effectively mirrors the definition of CCRA used in the DFS regulation, the newest promulgation includes some erroneous statutory references. That said, although it is expected that the Division will promptly issue an information request of Equifax as part of the State’s efforts to review the data breach, one of the most significant legal questions is whether DOS has the statutory authority to mandate CCRAs complete filings and respond to inquiries.