New York Strengthens Data Retention & Disposal Requirements

The New York Department of Financial Services’ 23 NYCRR Part 500 has been a part of the compliance landscape for insurance, financial services and healthcare organizations since 2017. Part 500 has transformed the cybersecurity posture of these covered entities, benefiting consumers, employees and other data subjects whose personal data organizations process.

While all the recent amendments to Part 500 have been the subject of considerable discussion, the changes to Section 500.13 will likely have the biggest weight, governing how covered entities manage (and dispose) of their non-public information (NPI) so they can remain Part 500 compliant.

What’s new in Part 500.13

Prior to Nov. 1, 2023, Part 500.13 required the periodic secure disposal of NPI when no longer necessary for business operations. The recent amendment adds a new dimension, compelling covered entities to document and maintain an asset inventory of systems holding their NPI. This includes tracking key information for each asset, including owner, location, classification, support expiration date and recovery time objectives.

So now, in addition to disposing of NPI after there’s no longer an obligation to retain it, covered entities must document the systems that hold their NPI. To comply with this change, covered entities must now know what data they have and where it lives.

The challenges of Part 500.13 compliance  

Three significant compliance challenges are clear:

• Knowing what systems store and manage NPI.
• Defining their legal and regulatory obligations for how long to retain NPI.
• Disposing of NPI systematically, consistently, and defensibly across all assets where it is stored and managed.

Knowing what systems store and manage NPI

Prior to 2016, the most common method for knowing what systems a covered entity had was a configuration management database (CMDB), sort of an inventory of IT systems that documents key properties like purpose, operating system, hardware, network location and application owner. A CMDB is typically owned and maintained by IT to enable proper management and support of these assets.

After 2016, with the introduction of the EU General Data Protection Regulation (GDPR), organizations were required to develop and maintain records of processing activity (ROPA). ROPAs documented the processing activities and systems that handled personal information (PI) of data subjects. Unlike CMDBs, which are IT-focused, ROPAs are privacy compliance-focused and contain more fulsome information about the assets and the business processes they support.

Despite the use of CMDBs and ROPAs, most organizations have a partial view at best of the systems that manage their non-public information. Primarily, this situation is because while CMDBs were an important part of sound IT operational practices — particularly when seeking industry certifications like NIST-CSF, ISO 27001, HITRUST or SOC — it is not specifically tied to legal or regulatory obligations. Conversely, ROPAs’ privacy focus meant that only systems handling PI were included. This resulted in large volumes of NPI that don’t contain PI, now subject to Part 500.13, being out of scope.

CISOs looking to leverage existing mechanisms, such as CMDBs or ROPAs, will need to augment these tools to meet the new standards set by the amended Part 500.13.

Defining obligations for disposing of NPI

Once a covered entity knows what NPI it has and where it’s stored, it needs to determine its legal and regulatory obligations regarding retention.

Prior to the introduction of the GDPR in 2016, the primary mechanism for documenting legal and regulatory obligations pertaining to NPI retention was the records retention schedule (RRS). Typically, an RRS:

• Lists all types of corporate records in use, such as agreements.  
• Provides examples including non-disclosure agreements, master services agreements and vendor contracts.
• Defines the retention time period, such as agreement termination date, plus one year.
• Cites the relevant law or regulation used to determine the time period.

After the GDPR mandated ROPAs, organizations had to identify the purpose for which information was collected to determine information retention time. The GDPR, followed by nearly all subsequent privacy regulations, requires that organizations define the purposes for which it collects PI, retain it only as long as needed to fulfill those purposes and then dispose of it.

For CISOs at covered entities, the combination of records retention schedule and defined purposes of use would seem to make compliance with Part 500.13 much easier. Yet, as with CMBDs and ROPAs, the RRS and defined purposes of use have significant shortcomings that pose challenges for CISOs looking to leverage them for Part 500.13 compliance.

First, RRS typically only defines retention periods for records, which are a subset of NPI. Nearly all records management functions clearly define what constitutes a record versus non-record. As part of established policy, only records are subject to the RRS. For example, drafts of records are not themselves records and, therefore, are not governed by RRS. However, Part 500.13 is blind to whether NPI is in a draft or final version of a document. All NPI must be disposed of once a covered entity no longer has a legal or regulatory obligation to retain it. Therefore, relying on the RRS alone will not enable a covered entity to meet its new obligations.

Second, there’s a gap between how the RRS looks at NPI at the document level and how purpose of use does so at the data element level. Case in point, the RRS cares whether a document is an invoice rather than a contract, while the purpose of use cares whether a data element is biometric data versus a phone number. CISOs seeking to leverage the RRS and purpose of use to guide disposal of NPI will then need to create a cross reference to enable an apples-to-apples view of their legal and regulatory obligations to dispose of NPI. This is easier said than done. Aligning records management and privacy functions to view NPI from each other’s vantage requires a willingness to change their mindset along with committing significant resources to update and augment policies and procedures that reflect this wider perspective.

Disposing of NPI

Once the CISO of a covered entity overcomes the challenges of knowing what NPI they have in what systems and the obligations they have to retain it, they face the most difficult challenge of all: actually disposing of NPI at scale.

Ensuring organizations dispose of NPI is difficult, as most have never done so and don’t have an organizational precedent for doing so. The wide range of stakeholders who must come together and decide how to structure enterprise NPI disposal efforts — records management, privacy, litigation, IT, cybersecurity, data governance and business data owners — typically haven’t been able to achieve consensus in the past. Each brings differing, and often conflicting, perspectives on NPI’s value, the risks of over-retaining versus disposing and the level of effort commensurate with the organization’s level of risk.

Even where these stakeholders come together and agree that NPI must be disposed of once past the legal or regulatory obligation to retain it, the inability to align on the proper course of action, NPI disposal activity roles and responsibilities, necessary technology and budget requirements may cause the effort to fail.

CISOs accountable for Part 500 attestation must work to overcome this gridlock to ensure comfort in attesting. Otherwise, they’ll have to asterisk their attestation or refuse to attest. Both of those options would result in devastating outcomes for their covered entities.

A path forward for Part 500.13 compliance

CISOs of covered entities should tackle these challenges on two fronts by developing an asset inventory and enabling NPI disposal.

Developing an asset inventory is the most straightforward task, as the relevant stakeholders are primarily IT and business system owners and because the required Part 500.13 information is narrow and knowable. It will take time to uncover the dozens, hundreds or thousands of systems that store NPI, along with identifying the people with enough knowledge to complete the inventory. Ultimately, however, this is nothing more than compiling a list.

NPI disposal, on the other hand, is an exercise in large-scale organizational change that requires multiple functions to rethink their understanding of NPI and how they work with it. Long-standing assumptions about NPI’s risk and value, the proper accountability and responsibility for it and the scope of how functions interact with it need to shift before disposing of a single piece of NPI. Even then, the organization must sustain a multi-year effort touching nearly every system and affecting nearly every department.  

A framework approach to NPI disposal

CISOs at covered entities need to adopt a framework approach to NPI disposal that covers every step of the journey, from required policies and procedures to the execution of NPI disposal at scale. While the details will vary between covered entities, the following provides a roadmap for helping covered entities ensure NPI disposal success and giving CISOs Part 500.13 compliance confidence.

Covered entities should begin by assessing their information governance capabilities for data disposal. This assessment can be based on a range of industry accepted frameworks, such as those from the Sedona Conference, ARMA International, ISO or NIST.

From there, the covered entity should close gaps in its policies and procedures related to data disposal, such as those owned by records management, privacy, litigation and data governance. It can then select the technology solutions appropriate to assist efforts, from asset inventory and data discovery solutions to specialized tools designed to facilitate data disposal in structured and unstructured systems.

With that done, the covered entity needs to risk-rank the systems that store NPI to make thoughtful, data-driven decisions about which should be addressed in what order. This exercise will help to build an NPI disposal execution plan. As NPI disposal is a multi-year effort, this plan will need to be revisited as NPI disposal progresses to ensure the covered entity continues its Part 500.13 compliance progress in its risk reduction journey.

Finally, the covered entity needs to execute NPI disposal at scale incrementally, disposing of NPI past the obligations to retain it quarter-over-quarter. Only at this point can a CISO breath easy and make a more informed due diligence effort for Part 500 compliance. While perhaps works in progress, when an organization’s NPI disposal efforts are on sure footing, CISOs have greater confidence attesting that Part 500.13 requirements are being followed consistently and effectively.