Time To Update Your Data Destruction Policy?

August 21, 2018 at 9:13 am Leave a comment

Image result for data destructionI think credit unions would be well advised to start thinking of their record retention policies as their data destruction policies at least when it comes to electronically stored information.

New York State sent out a reminder that institutions subject to its cybersecurity regulations have an important series of measures that they must implement by September 4th. Although many Federal credit unions aren’t subject to these regulations, much of what DFS is requiring constitutes a good framework to consider when devising your own data protection policies and procedures.

Under New York State’s regulations, covered entities must, as part of their cybersecurity programs, have policies and procedures in place “for the secure disposal on a periodic basis of any non-public information…that is no longer necessary for business operations or for other legitimate business purposes.” This general prohibition does not apply when the information must be retained for legal or regulatory purposes or where disposal is not feasible because the way it is stored.

There’s a lot packed away in that mandate and I think it’s worth it for every credit union to examine how it would comply with it. For example, there’s a perception that when in doubt it is better to hold onto information such as emails and applications. In fact, in the age of electronic restored information, you are putting your credit union and your members at unnecessary risk by retaining personally identifiable information longer than you are required or need to. Remember, every day you have PII in your system is one more day hackers have to steal your member’s information. It is also one more day that you could conceivably face liability for letting such information slip into the wrong hands. In reviewing what constitutes a necessary business purpose, don’t let your marketing department convince you that you need to retain the personally identifiable information of every person who ever walked through the credit union’s door.

Aside from the litigation threat, which for many credit unions probably isn’t all that great, there is the simple reality that your organization, irrespective of its size, has limited space and resources to keep its information. A well thought out and executed policy in which unnecessary data is purged from your system will help you maximize your IT resources while putting employees on notice that your email system is not to be used as an electronic file cabinet.

When deciding what stays and what goes, I would utilize the standards that has evolved in the Federal courts in recent years. When deciding motions for discovery requests, Federal courts generally have balanced the “undue hardship and expense of retrieving the requested electronic data against the importance of the information to the ongoing litigation. Again, while your credit union may not face litigation, it makes perfect sense for you to balance the need for retaining the information in electronic form against the burden being placed on your credit union.

One more thing. Your policies for electronically stored information will evolve over time as your credit union evolves. What is burdensome for a $25 million asset credit union may not be burdensome once that credit union’s assets grow to $100 million. As a result, someone has to be in charge of not only reviewing your procedures and policies but actually modifying them as the scope of your credit union’s activities change.


Entry filed under: New York State, Regulatory, technology. Tags: , .

Four Things To Ponder On An August Weekend Are You Giving Loans To Your Gig Members?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 711 other followers