ALBANY -- The Equifax data breach spurred a new plan Monday to give New York bank regulators broad power to block a credit-reporting agency's ability to operate in the state.
Gov. Andrew Cuomo's administration unveiled a proposal to more strictly regulate the credit-reporting industry in response to the massive breach, in which hackers gained access to the personal information of more than 143 million Equifax users.
Here's four ways the new plan could tighten up the credit-reporting industry:
1) NY would get more power
The Department of Financial Services is moving ahead with new regulations that would require credit-reporting agencies like Equifax and Experian to register with the state in order to operate in New York.
It would give state regulators way more power.
How? The state's financial services superintendent would have the ability to reject their registration requests if the company is "not trustworthy and competent to act as" a credit-reporting agency.
That very broad language could give state regulators wide-ranging power to block a company's ability to operate in New York if, say, they suffer a massive data breach.
2) Equifax and others would have to register annually
The credit-reporting agencies would have to register each and every year under the proposed regulations, beginning in February.
That means they would need annual state approval to operate in New York, requiring regular reviews of their fitness to handle sensitive information like Social Security numbers.
The constant approval process is meant as a deterrent: The companies would know they face the threat of a registration denial if they run afoul of state rules or don't protect consumer information.
A spokesperson for Equifax could not immediately be reached for comment Monday.
3) NY could suspend or revoke a registration
Even if a credit-reporting agency is licensed, New York regulators could still revoke the registration under the proposed regulations.
The regulations would give the Department of Financial Services the ability to suspend or revoke a registration for any of nine reasons, including if a company violates any New York banking law or regulation, provides misleading information in the registration process or used fraudulent or dishonest practices.
The state would have to provide notice of its plan to suspend a license and hold a hearing on the matter before taking action.
4) Tougher cybersecurity rules
Once the new regulations take effect, credit-reporting agencies would have to soon comply with New York's cybersecurity rules for banks and insurers.
The rules would require the agencies to file a written policy with the state detailing how they will keep consumers' sensitive information under wraps, as well as employ a cybersecurity officer whose job is to protect private data.
The new regulations would phase in the cybersecurity rules over much of 2018.