NY Cybersecurity Regulation: Data Retention & Disposal Requirements
Question from a Big I NY member: “Question regarding data retention. In our agency management system (AMS), we retain files as long as the provider does. Is that acceptable? We do so for protection, i.e., say we wrote life insurance and fifteen years later the client dies and the company claims some type of misrepresentation from the insured on the application. We would want all of the backup notes, signed forms, and questionnaires. Is this okay? I could not find on your website anything addressing this besides that we need to keep for the required legal periods, say seven years as a minimum, but what about longer?
Also, say a client leaves us, I do not delete their files in the AMS. They may come back, and if so, I do not have to develop all the same information again, such as address, date of birth, etc., or maybe a coverage issue arises down the road from pollution liability, etc. Am I under any obligation to wipe a client off the AMS after they are no longer a client, after say seven years, or am I allowed to retain?”
Answer: Section 500.13 of the regulation states:
“(b) As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information identified in section 500.1 (k) (2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.”
Section 500.1(k)(2)-(3) states:
“(k) Nonpublic information means all electronic information that is not publicly available information and is: …
(2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
(i) social security number;
(ii) drivers’ license number or non-driver identification card number;
(iii) account number, credit or debit card number;
(iv) any security code, access code or password that would permit access to an individual’s financial account; or
(v) biometric records;
(3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:
(i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family;
(ii) the provision of health care to any individual; or
(iii) payment for the provision of health care to any individual.”
Section 500.13 requires your agency to have policies and procedures for periodically securely disposing of these types of information that are no longer necessary for the agency’s operations or other legitimate business purposes. The determination of when the information is no longer necessary is entirely up to you. It could vary from one agency to another, and even within an agency it might vary depending on the type of information it is. The only exceptions are:
- Where another law requires you to retain the information (I can’t think of an example offhand.)
- Where it’s infeasible for you to delete it (for example, some agency management systems leave the agency with no control over data storage.)
As a side note, New York insurance laws and regulations require agencies to retain copies of only three types of documents, and none of them fall under this regulation. They are service fee agreements; premium account records; and producer compensation disclosures, and they must be retained for at least three years. While the law does not require you to retain other types of client records, the E&O attorneys recommend retaining them for at least seven years as a loss control measure because the statute of limitations for suing an agency in New York is six years. See The E&O Report, July 2013: “Because New York law provides that an insured has up to six years from the time when an error or omission occurs in order to commence legal action against an agency or brokerage, we always recommend that every agency or brokerage retain all documents for a period of at least seven years or even longer if possible.”
The key thing with this section of the regulation is that you must have written policies and procedures for how long you will retain non-public information and how you will securely dispose of it when you don’t want or need it anymore. Those policies and procedures are entirely up to you. The sample cybersecurity program the DFS provides contains this content about the data retention requirements:
“1. Describe how you dispose of nonpublic information when it is no longer necessary for business operations or for other legitimate business purposes:
2.Describe how long nonpublic information is retained, both generally and for any special categories where the general rule does not apply: …
Examples of secure disposal methods include: shredding paper so nonpublic information cannot be read or reconstructed; destroying or erasing electronic files or media so that non public information cannot be read or reconstructed; and hiring qualified third-party service provider who can provide such secure disposal. More information is available from the U.S. Cybersecurity and Infrastructure Security Agency at https://www.cisa.gov/sites/default/files/publications/DisposeDevicesSafely.pdf.”.
Just remember, the longer you retain non-public information, the longer you must protect it.
Topics
