Navigating NY DFS Part 500.13: Limitations on Data Retention

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500:13: Limitations on Data Retention (Deadline: September 3, 2018)

This section requires the covered entity to maintain documentation for the secure and periodic disposal of nonpublic information that is no longer necessary for the covered entity’s business operations or for other legitimate business purposes, Disposal is not required where such information is required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

The goal of this section is to ensure nonpublic information is not retained indefinitely for no legitimate business purpose and that when it is disposed of, that it’s disposed of securely to better protect the covered entity and its customers. In my experience, data retention policies and procedures can be implemented relatively easily if planned properly. Data should be grouped and classified using a meaningful relationship and retention periods should be determined on a case-by-case basis, but no less than what is required by law or regulation, where applicable.