September 1 is the next important date to keep in mind for 23 NYCRR §500
In the works since the big data breaches of 2014, including those of Target and Home Depot, 23 NYCRR §500 was a creation of the New York State Department of Financial Services. It was designed to "promote the protection of customer information as well as the information technology systems of regulated entities."
23 NYCRR §500 officially went into effect March 1, 2017, but had a series of rolling deadlines for when organizations had to meet certain requirements. The next important deadline is September 1, 2018. By then, financial institutions must:
- Keep an audit trail of all financial transactions.
- Keep that information for at least five years.
Further, regulated data:
- Must be encrypted.
- Must be erased when it's no longer needed.
Finally, banks must keep an audit trail of "security events" for three years. Right now, banks are only required to keep such information for 30-60 days. A significant change, and a sign of things to come.
New York state of mind
The audit trail and information retention requirements address the concern that, if critical customer information is stolen or destroyed in a cyber attack, it can easily be recovered. The encryption requirements get at the notion that, if data is stolen, it can't be used by the thieves as quickly or as easily. All this for the benefit of the consumer. But these requirements are also beneficial for the affected financial institutions, which might otherwise view themselves as simply having to bear many new and onerous burdens on their businesses.
Data thefts cost money in the short term, as the company must jump into action, lock down and investigate its operations and practices, and possibly reimburse customers who lose money to resulting fraud. In the long term, a company may lose business due to bad press and the resulting loss of customer trust. All this to say that, given the new reality of how consumer data rights are being perceived and acted upon by governmental organizations, it's better for businesses to think about compliance as not just a way to stay on the right side of regulators but as a way in which to thrive moving forward.
Europe's General Data Protection Rule. California's Consumer Privacy Act. Ongoing talks in the Trump administration about potentially sweeping federal data-privacy regulation. Data regulation is here and more is coming. It's not an exaggeration to say there's been an awakening when it comes to data issues, in the US and abroad. The regulation surrounding this new thinking will only continue to pile up and/or evolve.
For the moment, DFS hasn't finalized how it will penalize financial institutions that don't comply with the new law. That will change. Those financial institutions waiting for the other regulatory shoe to drop, so they can get on with their lives, should accept the fact that the shoes have only just begun to drop.