New NYS DFS Regulation 23 NYCRR 500 Effective 3/1/17 Requires All NYS Based Financial Services Businesses to Reassess Your Data Destruction Procedures

500.13 Limitation on Data Retention:

As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in 500.01(g)(2)-(3) that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

You are required to maintain auditable records of your  “periodic destruction” of obsolete non-public sensitive information

The “auditable” records must include:

1. Evidence of your periodic destruction activity

2. Regular training of employees for the performance of this task

3. Annual risk assessment and continued suitability of your process.  Keep in mind changes in data storage technology

4. Third party “vendor due diligence” records.  Be aware of the OCC Guidance Letter OCC 2013-29 “Third-Party Relationships Risk Management Guidance”  (Link to OCC letter)

You must retain these auditable records for a period of 5 years.

Good News:

Implementing Our Safe Harbor Express “SHE” Annual Scheduled Secure Data Destruction Agreement Meets With All of These Requirements.

Our SHE agreement not only provides the required activities it includes our “Compliance Library” cloud based project document archive. This tool provides 24/7 access to all of your periodic destruction project records and management reporting tools.

We currently provide our SHE service to over 70% of all NJ based community banks as well as a substantial number of NY community banks.

Please visit https://www.backthruthefuture.com/secure-data-destruction-financial-industry/