Equifax Breach Investigated by N.Y. Financial Services Agency

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Gerald B.Silverman

The huge data breach at Equifax Inc. is under review by the New York Department of Financial Services for possible violations of state law or regulations, a source familiar with the case, who requested anonymity because of a lack of authority to speak officially about the investigation, told Bloomberg BNA.

The probe is the second into the breach by New York authorities. New York Attorney General Eric T. Schneiderman (D) announced Sept. 8 that his office is investigating the breach for possible violations of New York law. A spokeswoman for Schneiderman told Bloomberg BNA that the office couldn’t comment on an open investigation. Other states also are investigating, including Connecticut, Illinois, Massachusetts, and Rhode Island.

The NYDFS’s new financial services cybersecurity rules started to take effect this year, but the reach of the NYDFS over Equifax and whether it violated New York requirements is unclear. The company is based in Atlanta, and details of how and where the breach occurred haven’t been made public by Equifax.Still, with 143 million Americans, or more than half of all U.S. adults affected by the breach, there are most likely banks and insurance companies in New York that were impacted, Mark Sangster, vice president of cybersecurity company eSentire Inc., told Bloomberg BNA. Determining whether those banks were notified of the breach directly by Equifax may be a focus for the NYDFS, he said.

Another possible avenue for NYDFS enforcement may be a broad authority granted in 2011 by the statute creating the state agency. Although the primary jurisdiction of the NYDFS is over banks and other direct financial services, the statute allows it to oversee related areas that were previously unregulated and would otherwise fall through the cracks.

A spokesman for the NYDFS declined to comment on possible enforcement actions by the state agency.

Preventable Breach?

Marcus A. Christian, a partner at Mayer Brown LLP, who focuses on cybersecurity and data privacy, told Bloomberg BNA that it’s hard to know if the NYDFS regulations could have prevented the Equifax security breach because the details of the breach haven’t been determined.

“Equifax may have had all the controls in place that the NYDFS regulations require,” he said.

The rules require covered banks and financial institutions to create and maintain a cybersecurity program approved by their boards or a senior corporate official, appoint a chief information security officer, limit access privileges to nonpublic data and periodically review the process, and implement guidelines to notify the state regulator within 72 hours of cybersecurity or data security incidents.

Christian said he didn’t know why Equifax took weeks to report the breach, but there are at least two acceptable reasons that breaches are sometimes not reported right away. One is that law enforcement are involved and determine that notification and disclosure could hinder an investigation. Another is that it takes a long time to do a thorough forensic investigation of the causes and details of a security breach.

Equifax didn’t immediately respond to Bloomberg BNA’s email request for comment.

Possible Tipping Point

The NYDFS cybersecurity rules “lead as the most stringent and comprehensive set of guidelines, and other states are watching closely while considering adopting similar rules,” Sangster said.

Other states or Congress may be motivated to adopt new cybersecurity requirements given the scope of the Equifax breach.

The breach may be a “Sarbanes-Oxley moment,” Sangster said, referring to the federal financial oversight law that was passed in 2002 after several corporate financial mismanagement events came to light.

Christian said it’s unclear if the Equifax breach is a watershed moment that will lead to new laws or regulations. “We’ve thought that at some other points in the past” after other cybersecurity incidents but didn’t see changes, he said.

To contact the reporter on this story: Donald Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security