The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up Data Retention programs.
It was an interesting world to work in, because although many companies have regulatory requirements around limiting data retention, not all do. Sometimes, making a sale was not based on convincing a client of regulatory requirements, but rather logic. We used to say, “you can’t have a breach of data that you don’t have” or “you don’t have to protect data that you don’t keep.” Limitations on data retention is a no brainer – every company should take this seriously to protect their organization and minimize the effects of a potential breach or other incident.
Section 13 of NY DFS’s Reg 500 specifically requires Covered Entities to put limitations on data retention. To paraphrase the five-line, one-sentence run on that is Section 13, NY DFS mandates that Covered Entities have policies and procedures in place to securely dispose of NPI once the business or legal need to retain it has been fulfilled. It’s a fairly simple requirement.
The tricky part is this: there are no best practice retention guidelines for NPI, per se. Meaning, you won’t find any credible guidance on how long to retain Social Security Numbers, email addresses, bank account numbers etc. Rather, retention is defined at a higher level category of information that Securibly refers to as Records. Records include things like personnel files, contracts, tax returns and so on. See how this is different? A “personnel file” might contain all kinds of NPI, such as SSN, address, name, phone number, date of birth and so on.
Section 13 is required, even in the most common exemption of Reg 500. Meaning, most small and one-person operations still have to implement a process for limiting data retention. You need a policy that outlines your process for securely disposing of NPI and you need a schedule that governs when you should get rid of Records. This requirement goes beyond just Reg 500 compliance and should be done diligently with the help of expert guidance.
Securibly can provide a retention policy and schedule to get you started.