This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.

The FCC has issued a Report and Order and Further Notice of Proposed Rulemaking (Order) adopting new rules to allow voice service providers to proactively block calls from certain numbers that are suspected to be fraudulent. The November 16 Order seeks to prevent fraud or identity theft that often accompanies calls which “spoof” or manipulate Caller ID information. The new rules expressly authorize voice service providers to block robocalls that appear to be from telephone numbers that do not or cannot make outgoing calls, without running afoul of the FCC’s call completion rules.

The new rules apply to four types of calls: invalid numbers (such as those with fictional area codes); unassigned numbers; numbers assigned to a provider but not in use; and valid numbers that the subscriber has placed on a Do-Not-Originate (DNO) list. The DNO list prevents spoofing by blocking calls purporting to be from the legitimate numbers. Commissioner Rosenworcel, providing the lone point of dissent, noted that the new rules do not prohibit carriers from charging consumers for the call blocking services.

The FCC  “strongly encourage[s]” providers to cooperatively share information about numbers that subscribers have requested to be blocked; however the FCC declined to prescribe a sharing mechanism and has not mandated that providers proactively block calls. The FCC made clear that a provider that blocks calls that do not fall within one of the four specific types of calls will be liable for violating Section 201(b) of the Communications Act and associated regulations, which generally prohibit call blocking as an unjust and unreasonable practice. The FCC’s new rules do not extend to text messages and prohibit the blocking of emergency calls.

The Notice of Proposed Rulemaking requests input in two specific areas. First, the FCC seeks comment on the optimal methods to rectify erroneously blocked calls, such as a formal “challenge” process with dedicated timeframes for correction. The Order only encourages companies to adopt procedures to easily identify and fix blocking errors—it does not mandate compliance with a particular mechanism. Second, the FCC seeks comment on ways to measure the effectiveness of its efforts to regulate robocalling. In particular, the FCC is interested to know whether it should institute reporting requirements and, if so, whether that reporting should include a measure of false positives blocked under the new rules. The FCC also invites comment on the benefits and costs of such requirements. Public comments may be submitted through January 23, 2018.

On May 24, 2017, the FTC will hold a daylong conference on identity theft in Washington, D.C.

The conference, “Planning for the Future,” will include panel discussions about how identity thieves acquire and use consumer information, how websites trade in stolen consumer information, the impact of identity theft on financial services, health care and other sectors, the challenges that identity theft victims face, and resources available to identity theft victims.  FTC technical experts will give a presentation on how malicious actors use consumer data available online.

The final agenda indicates that speakers will include FTC, DOJ, Secret Service, and IRS representatives as well as industry representatives and consumer advocates.