New Security Standards for Credit Reporting Agencies

After the data breach that Equifax suffered last year, they are now beginning to face repercussions that will affect not only their business but other credit reporting agencies as well. 

As most of you are or should be aware, the 2017 Equifax data breach was massive, affecting nearly 143 million people in the United States. As a result, the company is now facing fairly stern corrective actions along with new regulations that require compliance – and all of it must be accomplished within a span of three months.  This has come about through a consent decree between Equifax and the commissioners of the banking departments of eight states – New York, Alabama, California, Georgia, Maine, Massachusetts, North Carolina, and Texas.

Pursuant to the decree, Equifax’s Board of Directors is now required to review and approve a written risk assessment plan for future digital threats.  The plan must address (1) the vulnerabilities of PII (personally identifiable information); (2) the likelihood that another threat to the security of PII will occur; (3) the steps that will be taken to that threat; (4) the potential damage that would be caused by a security incident; and (5) how Equifax intends to respond a security incident occurs.  Equifax is also required to improve oversight of its vendors with respect to safeguarding consumer information. The consent decree also requires that the Equifax Board improve oversight of the company’s information security program with a written information security policy followed up by an annual report on how is performing.  The Board will also have to produce detailed minutes regarding management of the company’s information security and form an Audit Committee whose role is to evaluate the company’s technology controls. 

Finally, in connection with the Equifax breach, the New York Department of Financial Services (NYDFS) recently announced that its cybersecurity regulation (summarized here: https://kdwinger.com/2017/11/08/heres-pay-attention-new-nydfs-cybersecurity-regulation-even-youre-not-new-york) will now also apply to all credit reporting agencies.  Previously banks, insurance companies, and other financial institutions were the organizations that came within its purview.  Now, all of the credit reporting agencies must register with the NYDFS and must follow the cybersecurity standards set forth in the regulation, which includes a  requirement that they have a comprehensive plan to protect PII and to handle a data breach should it occur.