Home > Resource Center > Blog > DFS rules for financial firms come up short on Secure Data Disposal
DFS rules for financial firms come up short on Secure Data Disposal

DFS rules for financial firms come up short on Secure Data Disposal

Posted in Blog

Glenn Laga

Department of Financial Services (DFS) Rules 23 NYCRR 500 regarding secure data disposal took effect this March. Here’s our take – the good, the bad, and the ugly – as it relates to secure data disposal.

The newly promulgated law mandates firms to have written cybersecurity policies in place, appoint a Chief Information Security Officer, conduct penetration testing, maintain an audit trail, yada yada. (New York State Department of Financial Services [DFS], 2017) You’ve probably already bitten your nails over the long list, but if you want the full detail, please refer to DFS for a comprehensive overview of the regulation. While the new laws will certainly lead many companies to up their cybersecurity game, most already have some cybersecurity protection in place. While RIA firms and broker-dealers are not directly regulated by DFS (FINRA, the SEC, and state authorities have jurisdiction over them), many banks and insurance companies have agents who are also Registered Investment Advisors or broker-dealer representatives. So it is reasonable to imagine that most firms already have this covered. In fact, we’d be very surprised if your average bank or insurance company didn’t already have a full arsenal of written secure data disposal policies in place. There’s no way that lacking one would go over well with the Chief Compliance Officer!

This law is beneficial because it standardizes and formalizes the secure data disposal guidelines that firms must follow and ups the consequences for negligence.  It deepens the firm’s obligation to follow through on the safeguards their policies dictate. This works in favor of consumers who have entrusted institutions with their confidential information such as medical history, social security numbers, credit card and banking account information, and in some cases even personal passwords.

What we would have like to have seen in this law is more detail regarding secure data disposal. 23 NYCRR 500 Section 500.13, Limitations on Data Retention, does mandate that each covered entity’s policies provide for “the secure disposal on a periodic basis of any Nonpublic Information…that is no longer necessary for business operations.” (DFS, 2017, p. 9) This language is too ambiguous for our liking. We would have liked elaboration on what the term “secure disposal” exactly means. And a definition of “periodic basis” – yearly, semi-annually, quarterly?

Consider this scenario. Many financial firms allow employees to work from home. When an employee is terminated, their laptop’s hard drive most likely houses a jackpot of confidential information about the company and its clients. Many former employees will neglect to clean wipe the device (if continuing to use it) or, in the worst-case scenario, casually dispose of it in their household trash bin without securely destroying the device. Does dropping the hard drive off with the Geek Squad at Best Buy count as secure disposal – how can a financial firm track where it went after that? Or let’s say that the employee doesn’t get around to disposing of the information for two months, during which time her house is burglarized. Or maybe her car is stolen while she’s on the way to dispose of the laptop. And on, and on, and on. The hacker is in the details when it comes to secure data disposal.

While we commend DFS for taking a step in the right direction, we would suggest that financial firms consider implementing a totally compliant and absolute secure data disposal process – whether or not the new law spells out that they have to.

For more information about how secure data disposal should be implemented to protect your firm and comply with the new DFS regulations, please mention this article to your VAR or contact Guardian Data Destruction.

Ready to get started?

Get a quote > Discuss your challenge >

Protected: The difference between IT Asset Logistics versus Shipping (and why it’s important when moving high value assets from A to B).

There is no excerpt because this is a protected post.

Keep Reading >

What is white glove packing for IT assets?

When you request white glove packing for laptops, monitors and other IT equipment, don’t expect actual white gloves. Instead, look for the special care and …

What is white glove packing for IT assets? Keep Reading >

Keep Reading >

The most common questions about packing and shipping IT assets

Guardian’s data destruction services were the evolution of a transportation and logistics company specialized in the transport of new and used IT assets. Today, Guardian …

The most common questions about packing and shipping IT assets Keep Reading >

Keep Reading >

Stay in the know

Get relevant information right in your inbox

We do not sell or share your information with anyone

Previous Next
Test Caption
Test Description goes like this