Establishment of the Identity Theft Prevention and Mitigation Program
NY-ADR
3/28/18 N.Y. St. Reg. DOS-52-17-00013-E
NEW YORK STATE REGISTER
VOLUME XL, ISSUE 13
March 28, 2018
RULE MAKING ACTIVITIES
DEPARTMENT OF STATE
EMERGENCY RULE MAKING
I.D No. DOS-52-17-00013-E
Filing No. 243
Filing Date. Mar. 09, 2018
Effective Date. Mar. 09, 2018
Establishment of the Identity Theft Prevention and Mitigation Program
PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following action:
Action taken:
Repeal of Parts 4600, 4601 of Title 21 NYCRR; renumbering of Parts 4602-4605 and Parts 4607-4608 of Title 21 NYCRR to Parts 220-225 of Title 19 NYCRR; and addition of Part 226 to Title 19 NYCRR.
Statutory authority:
Executive Law, sections 91, 94-a(3)(6) and (9)
Finding of necessity for emergency rule:
Preservation of general welfare.
Specific reasons underlying the finding of necessity:
The massive data breach experienced by Equifax, a large Consumer Credit Reporting Agency, has exposed millions of people to fraud and economic ruin. The “theft” of these individual’s identities begins with such breach. Equifax (and other such entities experiencing data breaches) is under an obligation to them to provide timely information concerning the status of their credit histories, what is being done to protect them and how they can protect themselves. These rules include mechanisms to facilitate the provision of such information and assistance by: clarifying the status of a “victim of identity theft” as inclusive of an individual who has been victimized by a security breach; requiring, among other things, the filing of a form with the Division that CCRAs establish and notify the Division of a point of contact for Division inquiry and fact finding, and for such point of contact to be available for such dialogue for general matters during regular business hours and within 24 hours in event of a notification of a security breach, and the disclosure to the Division and consumers of proprietary products offered by the CCRA to consumers for the prevention of identity theft, with information as to the fees and contractual provisions associated therewith. Such information will better enable consumers to make informed choices as to what credit monitoring or protection product is suitable for them. It is necessary to immediately adopt this rule so that such information and assistance is available in the event of another breach.
Subject:
Establishment of the Identity Theft Prevention and Mitigation Program.
Purpose:
To facilitate the timely provision of information and assistance to victims of identity theft.
Text of emergency rule:
A new Chapter VIII is added to Title 19; Parts 4600 and 4601 of Title 21 are repealed; Parts 4602-4605 and 4607-4608 of Title 21 are renumbered as Parts 220–225 of Title 19, respectively; and a new Part 226 is added to Title 19 to read as follows:
Part 226 Identity Theft Prevention and Mitigation Program
§ 226.1 Purpose.
The Division of Consumer Protection was created within the Department of State to protect the people of New York State from economic harm resulting from unscrupulous and questionable business practices. The Division is authorized to promulgate rules and regulations to achieve this objective, including the authority to establish and administer the Identity Theft Prevention and Mitigation Program. The Program is intended to: (1) inform consumers about how to protect their personal identifying information; (2) help consumers prevent identity theft, including taking steps to protect their identities once their personal identifying information has been compromised, and (3) help consumers mitigate issues related to the theft of their identities. These regulations establish requisites and procedures to provide consumers with the means to protect themselves against identity theft and to assure that appropriate assistance and complaint resolution mechanisms are in place for the protection and repair of their financial and credit history in the event their personal identifying information has been compromised.
§ 226.2 Definitions.
(a) Victim of identity theft. The term “victim of identity theft” shall mean any natural person whose personal information has been wrongfully obtained by another or is used in some way that involves fraud or deception, typically for economic gain.
(b) Personal information. The term “personal information” shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
(c) Consumer Reporting Agency. The term “consumer reporting agency” means any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports or investigative consumer reports to third parties.
(d) Consumer credit reporting agency. The term “consumer credit reporting agency” means a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining, for the purpose of furnishing consumer credit reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity, public record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.
(e) Division. The term “Division” shall mean the Division of Consumer Protection.
(f) Department. The term “Department” shall mean the Department of State.
(g) Program. The term “Program” shall mean the Identity Theft Prevention and Mitigation Program.
§ 226.3 Consumer Assistance.
Persons requesting assistance from the Division to respond to an identity theft concern shall complete a consumer complaint assistance form as prescribed by the Division. The Division, where appropriate, may undertake any activities necessary to help a victim of identity theft obtain any such information and assistance from any entity identified in Executive Law § 94-a3(9)(ii), including, but not limited to, consumer credit reporting agencies, as is necessary to prevent the utilization of such consumer’s personal identifying information in a way that inures to such consumer’s economic detriment, or to mitigate the impacts when such consumer’s personal identifying information has been used to such consumer’s economic detriment.
§ 226.4 Consumer Educational Materials.
The Division shall make available upon request to any person identifying themselves as a victim of identity theft information that provides such victims with guidance in understanding and addressing concerns surrounding an identity theft crime.
§ 226.5 Request for Information.
When the Division of Consumer Protection acts on behalf of a consumer to investigate, mediate and/or mitigate an identity theft complaint, the Division may require substantiating and/or supporting documentation and/or records from any State agency, including the Division of State Police, State public authority, municipal department or agency, county or municipal police department, and any non-governmental entity, including, but not limited to, consumer credit reporting agencies. A consumer credit reporting agency shall comply with the written request of the Division for such documentation and/or records within 10 business days of service of such request, consistent with applicable laws and this Part.
§ 226.6 Consumer Credit Reporting Agency Filing.
Each consumer credit reporting agency operating within the State shall file with the Department such information as the Division finds necessary to effectively administer the Program. Such information shall be disclosed by filing a form provided by the Department and entitled “Consumer Reporting Agency Notice and Contact Information.” Such form shall include, but not be limited to, the following information, which shall be maintained and updated by the filer in the manner prescribed by the Department:
(a) The name of the consumer credit reporting agency.
(b) The principles and officers of the consumer credit reporting agency.
(c) The direct contact information for an individual(s) within the consumer credit reporting agency available to the Division during regular business hours.
(d) The direct contact information for an individual(s) within the consumer credit reporting agency available to the Division within 24 hours of a notification of a security breach pursuant to GBL § 399-aa(8)(a).
(e) Contact information available to consumers, including, the consumer credit reporting agency’s web address, telephone number and email address.
(f) A listing of all proprietary products offered by the consumer credit reporting agency to consumers for the prevention or mitigation of identity theft, any and all fees associated with the purchase of or subscription to such products, and the contractual provisions and disclosures in relation to such purchase or subscription, including, but not limited to: scope of services; liability for negligent or erroneous provision of services, and cancellation requisites.
(g) A listing and description of all business affiliations and contractual relationships with any other entities, where such business affiliations or contractual relationships relate to the provision of any products or services advertised to consumers as products or services available for the prevention or mitigation of identity theft.
(h) The consumer credit reporting agency’s DUNNS number.
§ 226.7 Consumer Information.
Any advertisements or other material promoting proprietary products offered to consumers by a consumer credit reporting agency for the prevention of identity theft must prominently disclose any and all fees associated with the purchase or use of such product, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.
§ 226.8 Violations.
A violation of any of the rules set forth in this Part shall be referred to the Attorney General, Department of Financial Services and/or any other appropriate law enforcement or regulatory entity for action.
This notice is intended
to serve only as a notice of emergency adoption. This agency intends to adopt the provisions of this emergency rule as a permanent rule, having previously submitted to the Department of State a notice of proposed rule making, I.D. No. DOS-52-17-00013-EP, Issue of December 27, 2017. The emergency rule will expire May 7, 2018.
Text of rule and any required statements and analyses may be obtained from:
David Mossberg, NYS Department of State, Office of Counsel, One Commerce Plaza, Albany, NY 12231, (518) 474-6740, email: [email protected]
Regulatory Impact Statement
1. Statutory authority:
New York Executive Law § 91 authorizes the Secretary of State to: “adopt and promulgate such rules which shall regulate and control the exercise of the powers of the department of state.” Additional authority is set forth in Executive Law § 94(6), which authorizes the Secretary of State to “implement other powers and duties by regulation,” and Executive Law § 94(9)(i) which authorizes the Secretary of State to “promulgate rules and regulations to administer the identity theft prevention and mitigation program.”
2. Legislative objectives:
Chapter 62 of the Laws of 2011 consolidated the Consumer Protection Board within the Department of State as a division under the supervision of the Secretary of State. Section 94-a of the Executive Law provides the Division of Consumer Protection with general authority to act in the interests of consumers “in order to protect the people of New York state from economic harm.” The Division has long been concerned with the psychologically destructive and economically catastrophic effects of identity theft. It has engaged in public education and outreach, represented the interests of identity theft victims and acted as liaison between them and other entities, both governmental and private. These rules would augment such efforts by establishing an “identity theft prevention and mitigation program (Program).” Among other things, the Program sets forth complaint procedures for consumers and provides for the timely flow of information and assistance critical to consumers exposed to identity theft.
In order to steal an individual’s identity, the criminal must acquire the victim’s personal information. Of great value is the victim’s financial information and credit history, which provides the criminal with a roadmap for the looting of the victim’s wealth. Such information is aggregated, maintained and analyzed by Consumer Credit Reporting Agencies (CCRAs), which provide “consumer credit reports” to entities doing business with consumers. Consumers seeking to obtain such things as mortgages, apartment rentals, and loans must consent to such “credit check” or go without. It is critical to the economic health of all that such information be maintained in the strictest confidence and used only for its intended purpose. Unfortunately, recent events have shown that such is not the case. The massive data breach experienced by Equifax, a large CCRA, has exposed millions of New Yorkers to fraud and economic ruin. The “theft” of these individual’s identities begins with such breach. Equifax (and other such entities experiencing data breaches) is under an obligation to consumers to provide timely information concerning the status of their credit histories, what is being done to protect them and how they can protect themselves. These rules include mechanisms to facilitate the provision of such information and assistance by: 1) clarifying the status of a “victim of identity theft” as inclusive of an individual who has been victimized by a security breach; 2) requiring, among other things, the filing of a form with the Division that CCRAs establish and notify the Division of a point of contact for Division inquiry and fact finding, and for such point of contact to be available for such dialogue for general matters during regular business hours and within 24 hours in event of a notification of a security breach, and 3) the disclosure to the Division and consumers of proprietary and other products offered by the CCRA to consumers for the prevention of identity theft, with information as to the fees and contractual provisions associated therewith. Such information will better enable consumers to make informed choices as to what credit monitoring or protection product is suitable for them.
The Secretary of State, empowered to issue these regulations to safeguard the interests of consumers and the public, generally, finds that the ready availability of information and assistance to victims of identity theft and security breaches is critical to their efforts to avoid the potentially devastating consequences of identity theft.
3. Needs and benefits:
The rulemaking, establishing the Identity Theft Prevention and Mitigation Program, facilitates the timely provision of information and assistance by Consumer Credit Reporting Agencies to victims of identity theft and security breaches and the Division of Consumer Protection. The timely provision of such information and assistance will better enable individuals to protect themselves from fraud and financial devastation.
4. Costs:
a. Costs to regulated parties:
The cost to CCRAs to comply with this rule will be nominal.
b. Costs to the Department of State, the State, and Local Governments:
The Department does not anticipate any additional costs to implement the rule.
5. Local government mandates:
The rule does not impose any program, service, duty or responsibility upon any county, city, town, village, school district or other special district.
6. Paperwork:
The rule requires CCRAs to file a form with the Division. It is anticipated that such form will be short and will not require significant resources to complete.
7. Duplication:
The Department currently educates and assists the public with regard to identity theft and mediates on behalf of victims of identity theft. However, the Division has found that the timely provision of necessary information and assistance to such victims is of critical importance to their efforts to protect themselves from, or mitigate the impacts of, the theft. These rules facilitate such timely provision.
8. Alternatives:
The Department considered not proposing the instant rulemaking. However, this rule is needed to provide a clear path for consumers to acquire information and assistance necessary in the wake of a security breach and to better enable the Division to provide support to victims of identity theft.
9. Federal standards:
The proposed amendments do not exceed any minimum standards of the federal government for the same or similar subject areas.
10. Compliance schedule:
Immediate upon adoption.
Regulatory Flexibility Analysis
The rule imposes neither an adverse economic impact on small businesses or local governments; nor reporting, recordkeeping or other compliance requirement on small businesses or local governments.
The massive data breach experienced by Equifax, a large Consumer Credit Reporting Agency, has exposed millions of New Yorkers to fraud and economic ruin. The “theft” of these individual’s identities begins with such breach. Equifax (and other such entities experiencing data breaches) is under an obligation to consumers to provide timely information concerning the status of their credit histories, what is being done to protect them and how they can protect themselves. This rules includes mechanisms to facilitate the provision of such information and assistance.
Comments will be received and entertained during the public comment period associated with the Proposed Rulemaking.
Rural Area Flexibility Analysis
This rule imposes neither an adverse impact on rural areas; nor reporting, recordkeeping or other compliance requirements on public or private entities in rural areas.
The rule will apply to Consumer Credit Reporting Agencies (CCRAs) which provide services across the state, but are not primarily located in rural areas. This rule requires among other things, that: CCRAs establish and notify the Division of a point of contact for Division inquiry and fact finding, such point of contact be available for such dialogue for general matters during regular business hours and within 24 hours in event of a notification of a security breach, and disclosure be provided to the Division and consumers of proprietary products offered by the CCRA to consumers for the prevention of identity theft, with information as to the fees and contractual provisions associated therewith. It is anticipated that the costs associated with such requirements will be insubstantial.
Comments will be received and entertained during the public comment period associated with the Proposed Rulemaking.
Job Impact Statement
It is apparent from the nature and purposes of this rule that it will not have a substantial adverse impact on jobs or employment opportunities.
This rule will primarily apply to three large Consumer Credit Reporting Agencies (CCRAs).
The rule will require, among other things, that (CCRAs): establish and notify the Division of a point of contact for Division inquiry and fact finding, ensure such point of contact be available for such dialogue for general matters during regular business hours and within 24 hours in event of a notification of a security breach, and provide disclosure to the Division and consumers of proprietary products offered by the CCRA to consumers for the prevention of identity theft, with information as to the fees and contractual provisions associated therewith. It is anticipated that such requirements would have little to no impact on jobs.
Comments will be received and entertained during the public comment period associated with the Proposed Rulemaking.
| End of Document |