Last Updated:

CCRAs - Consumer Credit Reporting Agencies

In July 2018, the New York Department of Financial Services (“DFS”) issued its new regulation imposing three important requirements on “consumer credit reporting agencies” (“CCRAs”):  (1) covered CCRAs must now register with DFS in order to do business in New York; (2) CCRAs are prohibited from engaging in certain unfair, deceptive, or predatory practices; and, most significantly (3) CCRAs now must comply with DFS’ 2017 Cybersecurity Regulation.
In general, covered CCRAs are those which have assembled, evaluated, or maintained a consumer credit report on 1,000 or more New York consumers within the last 12-month period.
Covered CCRAs must have registered with DFS by September 15, 2018, and must renew their registration by February 1, 2019, and by February 1 of each year thereafter.  Covered CCRAs also must designate one or more officers and directors as responsible for compliance.
Unregistered CCRAs may not provide consumer credit reports on New York consumers to any entity.  In addition, regulated entities, including “Covered Entities” under DFS’ Cybersecurity Regulation – a wide-ranging group of banks, insurers, mortgage brokers, and other financial services companies – are prohibited from obtaining a consumer credit report from and/or transmitting any information about a New York resident to an unregistered CCRA.  
The most significant aspect of the CCRA Regulation is the application of DFS’ Cybersecurity Regulation to CCRAs.  This has substantial implications for CCRAs (as with other Covered Entities), which now must achieve compliance with New York’s comprehensive cybersecurity regime.  
First, by November 1, 2018, CCRAs must do the following (note that the bullet descriptions are summaries of the Cybersecurity Regulation’s detailed requirements; capitalized terms are specifically defined in the Regulation):
Implement a cybersecurity program based on its Risk Assessment;Implement written policies and procedures, approved by a Senior Officer or the Board, for the protection of its Information Systems and Nonpublic Information stored on those systems;Designate a CISO;Limit user access privileges to Information Systems which access Nonpublic Information;Utilize qualified cybersecurity personnel to manage the Covered Entity’s cybersecurity risks and core cybersecurity functions, and provide verified training to such personnel; 

Implement a written incident response plan designed to respond to and recover from a Cybersecurity Event;

Provide notice to DFS within 72 hours from a determination that a Cybersecurity Event has occurred (Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System; notice must be given if the event is one that requires notice be provided to any government body, self-regulatory agency or any other supervisory body, or one that has a reasonable likelihood of materially harming any material part of the normal operation of the Covered Entity); and 

Certify annually its compliance with the Cybersecurity Regulation.

Second, by February 28, 2019, CCRAs must also comply with the following requirements:
CISO must report in writing at least annually to the Board on specified cybersecurity issues;Implement a plan for continuous monitoring of the cybersecurity program, or for periodic Penetration Testing and vulnerability assessments;Conduct a periodic Risk Assessment of its Information Systems to inform the design of the cybersecurity program;Implement Multi-Factor Authentication (or reasonably equivalent access controls) at least for any individual accessing internal networks from an external network; and Provide regular cybersecurity awareness training for all company personnel. 
Third, by August 31, 2019, CCRAs must implement:
Audit trail systems designed to reconstruct material financial transactions and to detect and respond to Cybersecurity Events;Procedures and standards ensuring secure development practices for in-house developed applications and for evaluating the security of externally developed applications;Policies and procedures for the secure disposal of Nonpublic Information;Risk-based policies, procedures and controls to monitor Authorized Users’ activities on the company’s systems and detect unauthorized access to or use of Nonpublic Information; and Encryption – both in transit and at rest – of Nonpublic Information, unless infeasible, in which case alternative compensating controls must be implemented. 
Finally, by December 31, 2019, CCRAs also must implement written policies and procedures to ensure the security of Information Systems and Nonpublic Information accessed or maintained by Third Party Service Providers.
DFS’ CCRA Regulation coincided with its June 2018 consent order requiring Equifax to take corrective actions following the company’s massive 2017 data breach.  This could signal that DFS is ramping up to begin enforcement activity now that Covered Entities (other than CCRAs) have implemented (as of September 3) the first three of the four phases above, and thus should already be nearly compliant in full.