Navigating NY DFS Part 500.15: Encryption of Nonpublic Information

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500:15: Encryption of Nonpublic Information (Deadline: September 3, 2018)

This section requires controls, including encryption, to be used to protect nonpublic information held or transmitted by the covered entity (1) while such information is in transit and (2) while it is at rest. If the covered entity determines that encryption is infeasible, in either of the above situations, the covered entity may use “effective alternative compensating controls” that have been approved of by the covered entity’s CISO. If the covered entity uses “compensating controls”, such controls must be reviewed by the CISO at least annually.