BILL NUMBER: S2641
SPONSOR: COMRIE
TITLE OF BILL:
An act to amend the financial services law, in relation to regulation of
consumer reporting agencies
SUMMARY OF PROVISIONS:
This bill creates a new Article 7 within the existing Financial Services
Law that authorizes and empowers the New York State Department of Finan-
cial Services (DFS) to regulate consumer reporting agencies, including:
oversight, licensing, examination and rulemaking powers.
JUSTIFICATION:
On September 7th, 2017, one of three major consumer credit reporting
agencies in the United States-Equifax-reported that hackers gained
access to company data that potentially compromised sensitive informa-
tion for 143 million American consumers - nearly 44% of the U.S. popu-
lation. The breach included: social security numbers, driver's license
numbers, names, addresses and birth dates. Keys that unlock consumers'
medical histories, bank accounts, and employee accounts have also been
compromised. Credit card numbers for 209,000 consumers were stolen, and
documents with personal information used in disputes for 182,000 people
were also stolen.
The attack on Equifax represents one of the largest risks to personally
sensitive information in recent years. This incident is the third major
cybersecurity threat for the agency since 2015. Just last year, identify
thieves successfully hacked critical W-2 tax and salary data from an
Equifax website. Earlier this year, thieves again stole W-2 tax data
from an Equifax subsidiary, TALX, which provides online payroll, tax and
human resources services to some of the nation's largest corporations.
According to investigations, criminals gained access to certain files in
the company's system from mid-May to July, 2017 by exploiting a weak
point in website software. Identity thieves can impersonate people with
lenders, creditors, and service providers who rely on personal identity
information. Thieves can also use stored information from Equifax and
use it to open accounts with creditors that use Experian or TransUnion.
Cybersecurity professionals criticized Equifax for not improving its
security practices after previous thefts. Critics also argue that Equi-
fax should have multiple layers of controls. Consumers complained of a
6-week lag between the discovery of the attack and Equifax's public
disclosure.
Equifax discovered the intrusion on July 29th but it first disclosed the
attack publicly on September 7th. There seems to be a broad sense of
uncertainty by experts and lawmakers as to which federal regulator, it
any, is charged with the responsibility to monitor and do regular super-
vision on cybersecurity.,The Consumer Financial Protection Bureau has
authority to police violati'ons of consumer protection laws by consumer
credit bureaus, but the.; agency generally leaves data privacy enforce-
ment to the Federal Trade Commission. However, the Trade Commission
lacks the authority to impose big fines or authorize fines for first
time violations of certain rules. Neither have commented on applicable
law or jurisdiction. Although federal lawmakers have promised legis-
lation and public hearings, no clear authority is forthcoming in short
order. Thus, it is time for New York State to lead on this issue, given
the fact that millions of our residents were exposed in this episode.
TO THIS END, THIS LEGISLATION ROVIDES A CLEAR REGULATORY MANDATE OVER
CREDIT REPORTING AGENCIES TO THE NEW YORK STATE DEPARTMENT OF FINANCIAL
SERVICES (DES) ALLOWING THEM TO AGGRESSIVELY PROTECT CONSUMER INTERESTS
THROUGH POWERS THAT INCLUDE: OVERSIGHT, LICENSING, EXAMINATION AND
RULE-MAKING.
LEGISLATIVE HISTORY: S5807 2022
S6878 COMRIE No Same as ON FILE: 01/03/18 Financial Services Law
TITLE:...
Relates to regulation of consumer reporting agencies 09/20/17 REFERRED
TO RULES 01/03/18 REFERRED TO BANKS
FISCAL IMPLICATIONS:
Possible increase of revenue due to the results of licensing and fines
collected for potential violations of future regulations.
EFFECTIVE DATE:
This act shall take effect immediately.