Equifax Must Turn Over NY Breach Data This Week
New York State regulators won’t be letting Equifax, Inc. off-the-hook any time soon for last year’s massive data breach that affected more than 145 million Americans.
In the state’s most recent move, Equifax is required to provide New York Secretary of State Rossana Rosado with breach-related information in 11 separate categories later this week including:
- Equifax’s plan for making the 8.4 million New Yorkers affected by the breach “whole,” if such a plan exists;
- A copy of the “comprehensive forensic review” prepared by the company’s outside forensic firm;
- Listing of the “New York specific data” that was compromised in the hack; and
- The number of children under the age of 16 affected by the breach “both nationally and within New York.”
Rosado’s request came in a December 27th letter to Equifax Interim CEO Paulino do Rego Barros Jr.
“This information will assist the Department of State’s Division of Consumer Protection in its ongoing efforts to investigate … the security breach of Equifax’s data,” Rosado wrote, “which exposed the personal information of millions of New Yorkers to criminal enterprise.”
The information was demanded under regulations – adopted and implemented on an emergency basis on December 12th by the New York Department of State – that require credit reporting agencies to respond within 10 days to requests made by the Department of State’s Division of Consumer Protection on behalf of consumers.
The Secretary of State’s investigation is just one of multiple probes ongoing within the state. As we’ve reported, New York Attorney General Eric Schneiderman started an investigation last year as did the New York State Department of Financial Services. DFS issued a subpoena on September 14th seeking documents related to the hack including information concerning when Equifax first learned of it.
On September 18th, as we’ve reported, New York Governor Andrew Cuomo proposed emergency regulations that would bring credit reporting agencies under the state’s cybersecurity regulation which already covers banks, insurance companies and other financial players that operate in the state.
A bill was also introduced late last year by the New York Attorney General to ratchet up much broader efforts to protect consumer information. The bill – called “Stop Hacks and Improve Data Security Act” or “SHIELD” – would require companies to implement “reasonable” data security safeguards to protect consumer information. We’ve blogged about the SHIELD proposal here, and published a two-part series taking an in-depth look at the proposal here and here.
Stay tuned for further developments.