This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data. Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.
First, some brief context. The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data. 15 U.S.C. § 6801(b). The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem. The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements. The NCUA adopted similarly specific safeguards for credit unions. 12 C.F.R. Part 748, App. A. In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use. And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.
The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes. The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.
But this is beginning to change. And as seen elsewhere in this series, states are leading the way:
New York State’s DFS Cybersecurity Regulations
The Cybersecurity Requirements for Financial Services Companies of the New York State Department of Financial Services (DFS) became effective in 2017. These regulations apply broadly to financial services businesses “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of New York State. 23 NYCRR § 500.1(c). Covered entities must “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems.” 23 NYCRR § 500.2(a).
The NYS DFS regulations are indeed granular, with yet more rigorous requirements for data security than the federal GLBA regulators’ standards. Yet for our purposes, it is with the following requirement that the NYS DFS plows new ground:
“As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information … that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.”
23 NYCRR § 500.13. Nonpublic information is electronic data, not publicly available, that is either what is commonly considered individuals’ PII (including biometric data and specified health information), or that is “business-related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity….” 23 NYCRR § 500.1(g)(2)-(3).
Thus, with Section 500.13, the NYS DFS cybersecurity regulations directly require covered financial services businesses (1) to have a records retention schedule tying retention of nonpublic information to legal requirements and business need, and (2) to dispose of such data when it is no longer necessary for legal compliance or legitimate business purposes.
NAIC’s Model Insurance Data Security Law
In the wake of GLBA, nearly every state’s insurance regulator issued some form of data security rules. Most were general, with provisions comparable to the FTC’s GLBA Safeguards Rule, and silent on how long to retain nonpublic customer data. See, e.g., Mo. Code Regs. Ann. tit. 20, § 100-6.110.
In 2017, the National Association of Insurance Commissioners (NAIC) published its Insurance Data Security Model Law. NAIC MDL-668. The NAIC’s Model Law includes requirements for cyber-event investigation and notifications, and it also requires insurance licensees to maintain “a comprehensive written Information Security Program based on the Licensee’s Risk Assessment and that contains administrative, technical, and physical safeguards for the protection of Nonpublic Information and the Licensee’s Information System.” NAIC MDL-668 § 4.
And here is what’s notable – beyond the usual objectives of protecting the security, confidentiality, and integrity of the nonpublic information and the information system and of protecting against unauthorized access to the nonpublic information, the Model Law adds an additional objective to be met by such mandated information security programs:
“Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.”
NAIC MDL-668 § 4(B)(4).
The NAIC Model Law’s provision requiring retention scheduling and disposal once the data is no longer needed has already been adopted in at least the following states: Alabama (effective May 1, 2020), Connecticut (effective October 1, 2020), Delaware (effective July 31, 2019), Louisiana (effective August 1, 2021), Indiana (effective July 1, 2020), Michigan (effective January 20, 2021), Mississippi (effective July 1, 2019), New Hampshire (effective January 1, 2020), Ohio (effective March 20, 2019), South Carolina (effective January 1, 2019), and Virginia (2020).
The pivot is unmistakable. In the microcosm of data security laws focused on the financial services industry, momentum is shifting toward requiring retention scheduling and data disposal as key elements of mandated information safeguards.