Senator Comrie Announces Legislation to Protect New Yorkers in Response to Equifax Hack

For Immediate Release: September 25, 2017
Contact: Andrew Taranto | taranto@nysenate.gov

Albany, NY — New York State Senator Leroy Comrie, Ranking Member on the Consumer Protection Committee, announced the introduction of legislation in response to the Equifax hack that potentially compromised sensitive information for 143 million American consumers. Senator Comrie’s legislation would expedite the time in which a data breach must be reported, help assist and protect consumers in dealing with the theft of their personal information and provide clear state regulation over consumer credit reporting agencies.

“From the initial Equifax hack to the company’s inadequate response, it is clear that New York State should be doing much more to incentivize businesses to better protect consumer data,” said Senator Leroy Comrie. “In the ever evolving world of emerging technology, it is imperative that safeguards are in place to prevent personal information like social security numbers and banking information from so easily ending up in the hands of hackers.”

Senator Comrie’s proposals include:

Requiring consumer credit reporting agencies to disclose data breach within 15 days of discovery. (S.6880)

• Current state law does not provide a concrete timeline of when notification must be provided to consumers after a data breach has taken place.
• There was at least a 6-week lag between the discovery of the Equifax data breach and the company’s public disclosure of the attack, during which three Equifax executives sold nearly two million worth of company stock within days of discovery.
   

Placing an automatic security freeze on consumer credit reports and waives the fee for consumers to unfreeze their credit report. (S.6879)

• Creates a new law to require credit reporting agencies that have experienced a breach to place a free 90 day security freeze on all consumer’s credit reports that were affected.
• ​This freeze must happen with 7 days of the credit reporting agency first learning about a breach; consumers themselves must be notified of the freeze within 7 days as well.
• Consumers can request to lift the freeze at their option, at no cost to them. 

Providing a clear regulatory mandate over consumer credit reporting agencies to the Department of Financial Services. (S.6878)

• After the Equifax breach, there was a broad sense of uncertainty by experts and lawmakers as to which federal regulator, if any, is charged with the responsibility to monitor and do regular supervision.
• Although Governor Cuomo has proposed rules to regulate consumer credit reporting agencies, the importance of the legislative process must not be ignored.
• Credit reporting agencies have never been subject to regulation by DFS, which is why public hearings and committee meetings play an especially vital role and allow advocacy groups and constituents to voice their concerns before any rules are enacted into law.
• This bill instructs DFS to regulate consumer credit reporting agencies by requiring licensing of credit reporting agencies, and allowing the Department to examine the books and records of consumer reporting agencies.

​On Thursday, September 28th, the Senate Committee on Consumer protection will conduct a public hearing to investigate how to best protect consumers, such as seniors and internet users, from the theft of their personal information.

Additional background:

On September 7th, Equifax reported that hackers gained access to company data that potentially compromised sensitive information for nearly 44% of the U.S. population. The breach included: social security numbers, driver’s license numbers, names, addresses, birth dates. Keys that unlock consumers’ medical histories, bank accounts, and employee accounts have also been compromised. Credit card numbers for 209,000 consumers, and documents with personal information used in disputes for 182,000 people were also stolen.