New York governor wants credit-reporting firms to follow cyber rules

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

By Diane Bartz and Suzanne Barlyn

WASHINGTON/NEW YORK (Reuters) – New York Governor Andrew Cuomo said on Monday that he wants credit-reporting firms to comply with the state’s cyber-security regulations, the latest government official to crack down on the industry in the wake of the massive Equifax hack.

Also on Monday, Bloomberg News reported that federal authorities have opened a criminal probe into stock sales by three Equifax Inc <EFX.N> executives before the company disclosed the massive data breach, news that has weighed heavily on the stock price.

The company has said the executives were unaware of the hack when they sold the stock for $1.8 million.

Equifax’s legal woes worsened as the U.S Attorney’s office in Atlanta issued a statement saying it was working with the FBI on a criminal investigation into the breach and theft of personal information.

Equifax shares rose 1.5 percent on Monday after losing about a third of their value since the hack was announced. The Equifax breach discovered on July 29 exposed sensitive data like Social Security numbers of up to 143 million people.

Cuomo said he planned to require all credit-reporting agencies to register with the state and comply with its cyber-security rules.

The proposed regulation would take effect in February, Cuomo said in a statement. If the companies do not register, they risk being barred from doing business with financial companies regulated by New York state.

The state would be able to bar credit-reporting agencies, including TransUnion <TRU.N> and Experian Plc <EXPN.L>, as well as Equifax, from doing business in New York if the state found they engaged in “unfair, deceptive or predatory practices,” Cuomo said.

“The Equifax breach was a wake-up call,” Cuomo said. “And with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Proposed regulations are typically subject to a period for public comment before they become final.

A New York state cyber-security regulation, the first of its kind in the United States, took effect on March 1. It requires financial firms to take measures to protect networks and customer data from hackers and disclose cyber events to regulators.

Maine is the only U.S. state that requires credit agencies to register, said William Lund, superintendent of the Maine Bureau of Consumer Credit Protection. But its law does not cover cyber security, an issue the bureau will have to consider, Lund said.

Maine, which has been registering credit-reporting agencies since the 1990s, has 30 such agencies on its roster, ranging from the largest to those dealing with everything from check approval to tenants’ rental histories, he added.

The three credit-reporting agencies did not respond to requests for comment on Cuomo’s plan.

Bloomberg reported on Monday that the U.S. Justice Department is investigating whether Equifax’s chief financial officer, John Gamble, and two other executives broke insider-trading rules by selling stock after the breach was discovered in July and weeks before it was disclosed this month.

Reuters was not able to confirm the Bloomberg report.

Separately, the company issued a statement saying a second Bloomberg report late on Monday about a second cyber attack in March referred to a breach at Equifax payroll unit that was previously reported to regulators, customers and consumers and also been covered by the press.

“Equifax complied fully with all consumer notification requirements related to the March incident. The two events are not related,” the statement said.

(Reporting by Diane Bartz and Suzanne Barlyn; Additional reporting by Sarah N. Lynch, David Shepardson and Dustin Volz; Editing by Jim Finkle, Leslie Adler and Michael Perry)