New Reason to Revisit Your File Retention Schedule
Proper disposal of nonpublic personal information is increasingly important as more regulations include provisions on document destruction, both in electronic and paper form. The latest compliance requirement stems from the New York Cybersecurity Rule: By Sept. 3, 2018, all covered entities (resident and non-resident agencies and producers licensed in New York) must develop procedures for routine, proper disposal of personal data.
The good news: As part of your compliance efforts with other federal rules (think Consumer Information Disposal Rule or HIPAA Security Rule), or simply in an effort to use best practices, you may already have implemented procedures that address vulnerabilities in document disposal. If not, now is the time to revisit your procedures.
In general, reasonable disposal measures include:
- Shredding, burning, or pulverizing papers
- Destroying or erasing electronic files (which is not the same as simply deleting)
- Conducting due diligence and hiring a document destruction contractor to dispose of consumer report information
Bottom line: You should always address disposal as part of an information security plan.
Access our state-specific resources on the Consumer Information Disposal Rule: