Equifax to Give More Breach Information to New York Regulator

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Gerald B. Silverman

Equifax Inc. intends to respond to a demand letter from New York state regulators seeking further information on the impact of its massive 2017 data breach on New Yorkers, a company spokeswoman told Bloomberg Law Jan. 4.

In the demand letter, which was obtained Jan. 4 by Bloomberg Law, New York Secretary of State Rossana Rosado asked Equifax for data on New York consumer credit card information exposed during the breach, a summary of the company’s plan to resolve consumer disputes, and a copy of the forensic review prepared after the breach.

The credit reporting company announced Sept. 7 that the private information of about 143 million Americans was compromised. The Dec. 27 letter, which was sent as part of the state’s first use of new identity theft regulations, gave Equifax 10 business days after receipt of the letter to respond.

Equifax intends to work with the state “to respond to their letter within the requested time frame,” Meredith Griffanti, a spokeswoman for the company, told Bloomberg Law.

The letter is part of a multi-front effort by New York state in response to the Equifax data breach. The Department of Financial Services has proposed regulations that would subject credit reporting agencies to the state’s new cybersecurity requirements, and Attorney General Eric T. Schneiderman (D) is investigating the breach.

The identity theft regulations give the department the authority to request a range of information from credit reporting agencies in an effort to prevent and mitigate the impact of identity theft.

The specific information requested in the Equifax demand letter includes “a detailed description of Equifax’s core consumers or commercial credit reporting databases and how they differ from the databases that were exposed in the July 29, 2017 breach.”

The state is also requesting data on the company’s response times for the placement, lifting and removal of credit report security freezes for New York consumers since Sept. 7, 2017. Equifax is also being asked to give the state the names of any federal law enforcement agencies that responded to the data breach, including specific contacts in any civil or criminal investigations.

To contact the reporter on this story: Gerald B. Silverman in Albany, N.Y. at gsilverman@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

For More Information

The demand letter is available at http://src.bna.com/vpQ.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security