Governor Cuomo announces added regulations to protect consumers

New York State Governor Cuomo instructed the New York Department of State on December 12 to issue more regulations to protect consumer data. The regulations are effective immediately and come into play on an emergency basis, making consumer credit reporting agencies increasingly accountable to the public. The regulations will require consumer credit reporting agencies to:

  • Respond within 10 days to the Department of State’s Division of Consumer Protection’s requests on behalf of consumers
  • Appoint and identify key points of contact for the Division of Consumer Protection to obtain vital information to help affected consumers; and
  • Disclose profiteering initiatives targeting impacted customers affected by identity theft.

The third requirement calls for credit reporting agencies to disclose, in plain language, all fees (including hidden) associated with identify theft protection products, e.g. products and services initially offered free of charge. The agencies must also submit a list of all business affiliations and contractual relationships they have with companies that sell credit monitoring and related services.

According to Secretary of State Rossana Rosado, Governor Cuomo is directing agencies to take extra measures to ensure customers have timely access to assistance in the event of a future data breach. The 2017 Equifax data breach is a major cause for the state’s crackdown on credit reporting agencies’ handling of consumer data.

The New York Department of State is responsible for organizing the consumer protection activities of all state agencies. It also investigates matters that impact consumers, which is why it is coordinating with the New York Department of Financial Services cybersecurity regulation on the Equifax data breach. Governor Cuomo’s proposed regulations, although separate, complement the NYDFS cybersecurity regulation, which came into effect on March 1, 2017.

Financial services organizations and related covered entities must ensure they comply with certification due February 15, 2018. Learn more about the NYDFS cybersecurity regulation here.