As data privacy and security concerns becoming more prevalent, governmental bodies are reacting by issuing regulations focusing on personal information security. One of the latest is 23 NYCRR 500, issued by the New York Department of Financial Services.
The regulation’s main focus is to heighten the overall security measurements currently applied by financial services in New York State.
The NY DFS is approaching customer privacy by expanding on what types of data organizations should protect. It uses a specific term for these data variants, calling it nonpublic information.
What counts as nonpublic information?
The NY DFS definition of nonpublic information covers all business-related information that when tampered with would cause a material adverse impact to the organization. But it doesn’t stop there it also includes all customer provided Personally Identifiable Information (PII) that is collected and processed by financial institutions.
Apart from the usual (name, address, phone number, social security number), nonpublic information also includes anything that can be used to distinguish or trace an individual’s identity.
The regulation is clear on what constitutes PII. Here’s a quick rundown: any information…
- that an individual provides to a financial service.
- that was obtained by a financial service during a transaction.
- except for age or gender, that was obtained from a health care provider and relates to the physical, mental or behavioral health of the customer.
- that function as identifiers including date and place of birth, mother’s maiden name, biometric records.
- that is linked or linkable to an individual, including but not limited to medical, educational, financial, occupational or employment information.
- about an individual used for marketing purposes.
- that can remotely be tied to an individual such as user ID, IP and MAC addresses.
- containing a password or other authentication factor of an individual.
Why does it matter?
Organizations providing financial services in the state of New York must redefine privacy policies and procedures to comply with the regulation. They also need to evaluate what IT assets are being used to process and store nonpublic information. Some data may now require an added level of security.
A greater emphasis must be put on securing data and defining who has access to assets containing nonpublic information.
In our next blog, we will touch on how this translates to real-world security measures that can be applied to comply with the new regulation.
In the meantime, if you would like to learn how Balabit can help you comply with 23 NYCRR 500 download our white paper here.