Governor Cuomo Mandates Compliance by Credit Reporting Agencies with Sweeping New Cybersecurity Requirements
New York Governor Andrew Cuomo has issued a final regulation that requires credit reporting agencies doing business in New York to register annually with the Department of Financial Services (DFS) and also to comply with accompanying cybersecurity regulations, including the implementation of a cybersecurity program consistent with the requirements already in place for banks, insurance companies and other financial services institutions. The purpose of the new regulation is to protect New Yorkers from data breaches, such as the Equifax breach which exposed the private data of millions of individuals.
The new regulation, entitled "Registration Requirements & Prohibited Practices For Credit Reporting Agencies, 23 NYCRR 201, et seq.," largely follows the provisions of the Fair Credit Reporting Act (FCRA). It defines a "consumer credit reporting agency" as one "that regularly engages in the practice of assembling or evaluating and maintaining, for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity, and credit account information from persons who furnish that information regularly and in the ordinary course of business." 23 NYCRR 201.01(d). Note, however, that a "credit report" does not include "(i) any report containing information solely as to transactions or experiences between the consumer and the person making the report, (ii) any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device, or (iii) any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his decision with respect to such request," if the third party provides the consumer with the information of the entity making such request.
Any entity that qualifies as a "consumer credit reporting agency" and which has assembled, evaluated or maintained a consumer credit report for 1,000 or more New York consumers must register with DFS no later than September 1, 2018, and is also required to register annually by February 1 of each successive year. Beginning July 1, 2019, every consumer reporting agency must file a certificate of compliance with DFS.
Failure to register will prohibit a consumer reporting agency from furnishing a consumer credit report on a New York consumer, receiving payment or compensation, or transmitting such credit information to any third party. Any registered credit reporting agency will also be subject to New York laws prohibiting "unfair, deceptive or predatory practice" under federal or state law. A credit reporting agency found to violate any such consumer protection laws may be denied registration or renewal of registration, or face revocation of registration.
With the new law, credit reporting agencies must also comply with the cybersecurity requirements of the DFS. No later than November 1, 2018, credit reporting agencies must implement a cybersecurity program to protect private data of consumers; have written policies approved by the board or a senior officer; designate a Chief Information Security Officer assigned to protect data and systems; and protect consumer data received from third-party vendors. An annual certificate of compliance with the cybersecurity requirements must also be filed with the DFS.
The new law potentially cuts across a wide swath of entities dealing with the private data of consumers, including retail stores, lending institutions and debt collection agencies to the extent that these entities compile, assemble and/or maintain the type of information included in a credit report. Unlike the FCRA, however, this regulation does not define creditors or furnishers of information to credit reporting agencies, much less provide specific provisions as applicable to such entities.
The DFS has proven to be vigilant in monitoring and enforcing New York's regulatory requirements. Because this is a new regulation, we anticipate that DFS will issue further information to clarify its provisions and/or requirements. We shall continue to keep you apprised of regulatory developments to assist you in your compliance efforts.
Topics
Related Capabilities
Featured Insights

Press Release
Jul 15, 2026
Two Hinshaw Partners Recognized in Minnesota Monthly's 2026 Top Lawyers in Minnesota

Event
July 13-15, 2026
Hinshaw Proudly Sponsors 2026 Lavender Law Conference and Career Fair

Webinar
Jul 14, 2026
Scott Seaman Presents on Horizontal vs. Vertical Exhaustion of Insurance

Healthcare Alert
Jul 8, 2026
A New Era of Compliance Standards for California DSOs and MSOs After the Aspen Dental Settlement

Insights for Insurers Alert
Jul 7, 2026
What Insurers Need to Know About California’s FAIR Plan Assessment Recoupment Guidance

In The News
Jul 6, 2026
Francesco Palanda’s Practical Guide for Mitigating AI-Related Business Interruption Risk

Lawyers' Lawyer Newsletter
Jun 29, 2026
Beyond Malpractice: The Rising Threat of Privacy and Statutory Claims Against Lawyers

In The News
Jun 26, 2026
Brian McGrath Discusses Far-Reaching Impact of a NY Foreclosure Ruling on Mortgage Industry



