Department of Financial Services (DFS) Rules 23 NYCRR 500 regarding secure data disposal took effect this March. Here’s our take – the good, the bad, and the ugly – as it relates to secure data disposal.
The newly promulgated law mandates firms to have written cybersecurity policies in place, appoint a Chief Information Security Officer, conduct penetration testing, maintain an audit trail, yada yada. (New York State Department of Financial Services [DFS], 2017) You’ve probably already bitten your nails over the long list, but if you want the full detail, please refer to DFS for a comprehensive overview of the regulation. While the new laws will certainly lead many companies to up their cybersecurity game, most already have some cybersecurity protection in place. While RIA firms and broker-dealers are not directly regulated by DFS (FINRA, the SEC, and state authorities have jurisdiction over them), many banks and insurance companies have agents who are also Registered Investment Advisors or broker-dealer representatives. So it is reasonable to imagine that most firms already have this covered. In fact, we’d be very surprised if your average bank or insurance company didn’t already have a full arsenal of written secure data disposal policies in place. There’s no way that lacking one would go over well with the Chief Compliance Officer!
This law is beneficial because it standardizes and formalizes the secure data disposal guidelines that firms must follow and ups the consequences for negligence. It deepens the firm’s obligation to follow through on the safeguards their policies dictate. This works in favor of consumers who have entrusted institutions with their confidential information such as medical history, social security numbers, credit card and banking account information, and in some cases even personal passwords.
What we would have like to have seen in this law is more detail regarding secure data disposal. 23 NYCRR 500 Section 500.13, Limitations on Data Retention, does mandate that each covered entity’s policies provide for “the secure disposal on a periodic basis of any Nonpublic Information…that is no longer necessary for business operations.” (DFS, 2017, p. 9) This language is too ambiguous for our liking. We would have liked elaboration on what the term “secure disposal” exactly means. And a definition of “periodic basis” – yearly, semi-annually, quarterly?
Consider this scenario. Many financial firms allow employees to work from home. When an employee is terminated, their laptop’s hard drive most likely houses a jackpot of confidential information about the company and its clients. Many former employees will neglect to clean wipe the device (if continuing to use it) or, in the worst-case scenario, casually dispose of it in their household trash bin without securely destroying the device. Does dropping the hard drive off with the Geek Squad at Best Buy count as secure disposal – how can a financial firm track where it went after that? Or let’s say that the employee doesn’t get around to disposing of the information for two months, during which time her house is burglarized. Or maybe her car is stolen while she’s on the way to dispose of the laptop. And on, and on, and on. The hacker is in the details when it comes to secure data disposal.
While we commend DFS for taking a step in the right direction, we would suggest that financial firms consider implementing a totally compliant and absolute secure data disposal process – whether or not the new law spells out that they have to.
For more information about how secure data disposal should be implemented to protect your firm and comply with the new DFS regulations, please mention this article to your VAR or contact Guardian Data Destruction.