Data Security Law Blog

Equifax Data Suppliers Urged by DFS to Give Hack “Highest Degree of Attention”

Yesterday, New York’s top financial regulator asked state-chartered banks and insurers to take immediate precautions to protect consumers and the financial markets “in light of the cybersecurity attack” at Equifax Inc.

In guidance issued to financial institutions and insurance companies, the New York State Department of Financial Services (DFS) urged institutions that supply consumer data to Equifax to “ensure that this incident receives the highest degree of attention and vigilance.”  The guidance, Superintendent Maria T. Vullo said, “supports DFS’s first-in-the-nation cybersecurity regulation.” 

If an “institution provides consumer of commercial related account and debt information to Equifax under any arrangement,” the guidance said, the company must “ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data in light of this cyberattack.”

Superintendent Vullo called the scale of the Equifax attack “unprecedented” and said that the DFS was prepared “to take immediate action” to protect New York consumers and ensure the soundness of the state’s financial services industry.

The guidance also urges banks and insurers to install software patches on their information technology systems, and ensure that fraud and identity theft protocols were implemented before any new account is opened, credit card issued or loan approved.  It also asked that the validity of any information provided by Equifax — including credit reports — be confirmed before relying on them to make credit decisions.  And, suggested the guidance, financial institutions should consider contacting customers that might have been hacked before opening credit lines in their names. 

DFS issued the guidance shortly after New York Governor Andrew Cuomo called the Equifax breach a “wake up call” and directed DFS to propose a regulation requiring credit reporting agencies to comply with the state’s new cybersecurity regulation.  The proposed regulation — issued shortly after Cuomo’s appeal — is subject to a 45-day comment period.