×

UPDATE 4-New York governor wants credit-reporting firms to follow cyber rules

(Adds Equifax confirms cyber incident in March)

WASHINGTON/NEW YORK, Sept 18 (Reuters) - New York Governor Andrew Cuomo said on Monday that he wants credit-reporting firms to comply with the state's cyber-security regulations, while Equifax Inc said it suffered a second cyber incident two months before the one disclosed in early September.

Also on Monday, Bloomberg News reported that federal authorities have opened a criminal probe into stock sales by three Equifax Inc executives before the company disclosed the massive data breach, news that has weighed heavily on the stock price.

Equifax shares rose 1.5 percent on Monday after losing about a third of their value since the hack was announced.

Cuomo said he planned to require all credit-reporting agencies to register with the state and comply with its cyber-security rules.

The proposed regulation would take effect in February, Cuomo said in a statement. If the companies do not register, they risk being barred from doing business with financial companies regulated by New York state.

The state would be able to bar credit-reporting agencies, including TransUnion and Experian Plc, as well as Equifax, from doing business in New York if the state found they engaged in "unfair, deceptive or predatory practices," Cuomo said.

"The Equifax breach was a wake-up call," Cuomo said. "And with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation."

Proposed regulations are typically subject to a period for public comment before they become final.

A New York state cyber-security regulation, the first of its kind in the United States, took effect on March 1. It requires financial firms to take measures to protect networks and customer data from hackers and disclose cyber events to regulators.

Maine is the only U.S. state that requires credit agencies to register, said William Lund, superintendent of the Maine Bureau of Consumer Credit Protection. But its law does not cover cyber security, an issue the bureau will have to consider, Lund said.

Maine, which has been registering credit-reporting agencies since the 1990s, has 30 such agencies on its roster, ranging from the largest to those dealing with everything from check approval to tenants' rental histories, he added.

The three credit-reporting agencies did not respond to requests for comment on Cuomo's plan.

Separately, an Equifax spokesperson confirmed that the company had hired cyber-security firm FireEye Inc to investigate a second incident in March, after Bloomberg News reported the attack late on Monday.

"Equifax complied fully with all consumer notification requirements related to the March incident. The two events are not related," the spokesperson said via email.

The company did not respond when asked how many breaches it has suffered over the past year or to describe their impact.

Bloomberg separately reported that the U.S. Justice Department is investigating whether Equifax's chief financial officer, John Gamble, and two other executives broke insider-trading rules by selling stock after the breach was discovered in July and weeks before it was disclosed this month.

The company has said the executives were unaware of the hack when they sold the stock for $1.8 million. Reuters was unable to confirm the report, and the Justice Department did not respond to requests for comment. (Reporting by Diane Bartz and Suzanne Barlyn; Additional reporting by Sarah N. Lynch and Dustin Volz; Editing by Jim Finkle and Leslie Adler)