In Wake Of Equifax Hack, New York Wants Assurances From Experian, TransUnion

Image courtesy of Eric Norris

The Equifax data breach compromised personal information for some 143 million Americans, but there are still two other major credit bureaus — Experian and TransUnion — whose digital vaults are filled with the same sensitive info. New York’s top prosecutor is now asking these companies to explain how they won’t be the next source of a massive consumer data leak. 

New York Attorney General Eric Schneiderman announced this morning that his office has initiated a probe into the security practices of Experian and TransUnion.

Additionally, New York Governor Andrew Cuomo is pushing for new regulations to ensure that all three major credit agencies aren’t putting consumers in harm’s way.

How’s Your Security?

This morning, Schneiderman said that the Equifax hack has raised “serious concerns about the security of private consumer information held by the largest consumer credit reporting agencies.”

His office sent letters [PDF] to Experian and TransUnion, asking for information about their data security prior to the Equifax breach and any steps they have taken since the hack came to light.

For instance, the AG’s office wants to know what steps each CRA has taken to prevent future hacks and whether the agencies have considered waiving fees for customers who want to ensure their information is protected via credit freezes or monitoring.

“Credit reporting agencies have a fundamental responsibility to protect the personal information they’re entrusted with,” Schneiderman notes. “As we continue our investigation into the Equifax breach, it’s vital to ensure that consumer data at the other major credit reporting agencies is safe.”

Schneiderman gave the agencies until Sept. 21 to provide responses.

Call For Regulations

On Monday, Gov. Cuomo announced that he had called on the New York Department of Financial Services (DFS) to issue new regulations [PDF] requiring credit reporting agencies to register with the state and comply with its cybersecurity regulations.

New York’s cybersecurity rules [PDF], which took effect in March, require financial firms to take measures to protect their networks and consumer data from hackers, provide a written policy to customers, and employ a Chief Information Security Officer to help protect data and systems. Currently, CRAs are not subject to these rules.

However, on Monday, Cuomo took steps to change this, noting that CRAs would be required to meet all cybersecurity resolution standards starting in April 2018.

Additionally, under Cuomo’s newly proposed regulations, all consumer credit reporting agencies that operate in New York would be required to register annually with DFS beginning in Feb. 2018, with re-registration taking place each February.

The CRAs would also be prohibited from:
• Directly or indirectly employing a scheme that misleads a consumers;
• Engaging in unfair, deceptive, or predatory acts or practices;
• Providing inaccurate information to any consumer report relating to consumers in New York;
• Refusing to communicate with an authorized representative of a consumer located in the state;
• Making false statements or omitting any material fact in connection with information or reports filed with a government agency

If the DFS superintendent — who can examine the agencies any time it is deemed necessary — finds that the CRA or its members and directors are not trustworthy or have failed to comply with minimum security standards, the CRA could be prohibited from doing business in the state.

“Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world,” Cuomo said. “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Just The Beginning

The New York actions are likely only the start of several states taking actions to hold Equifax accountable and reduce the likelihood of similar incidents at other CRAs.

Just last week, Sen. Elizabeth Warren (MA) introduced legislation that would make credit freezes free for anyone.

At the same time, a 32-state coalition — led by Connecticut Attorney General George Jepsen — is investigating the Equifax breach. The states have also asked Equifax to put a halt to the marketing of its paid credit monitoring service, claiming that it’s confusing to the millions of breach victims who are eligible for the free monitoring.