23 NYCRR 500, Expanding the Scope of Data Security

Published on 11 May 2017

As data privacy and security concerns becoming more prevalent, governmental bodies are reacting by issuing regulations focusing on personal information security. One of the latest is 23 NYCRR 500, issued by the New York Department of Financial Services.

The regulation’s main focus is to heighten the overall security measurements currently applied by financial services in New York State. 

The NY DFS is approaching customer privacy by expanding on what types of data organizations should protect. It uses a specific term for these data variants, calling it nonpublic information.


What counts as nonpublic information?

The NY DFS definition of nonpublic information covers all business-related information that when tampered with would cause a material adverse impact to the organization. But it doesn’t stop there it also includes all customer provided Personally Identifiable Information (PII) that is collected and processed by financial institutions.

Apart from the usual (name, address, phone number, social security number), nonpublic information also includes anything that can be used to distinguish or trace an individual’s identity.

The regulation is clear on what constitutes PII. Here’s a quick rundown: any information…

  • that an individual provides to a financial service.
  • that was obtained by a financial service during a transaction.
  • except for age or gender, that was obtained from a health care provider and relates to the physical, mental or behavioral health of the customer.
  • that function as identifiers including date and place of birth, mother’s maiden name, biometric records.
  • that is linked or linkable to an individual, including but not limited to medical, educational, financial, occupational or employment information.
  • about an individual used for marketing purposes.
  • that can remotely be tied to an individual such as user ID, IP and MAC addresses.
  • containing a password or other authentication factor of an individual.


Why does it matter?

Organizations providing financial services in the state of New York must redefine privacy policies and procedures to comply with the regulation. They also need to evaluate what IT assets are being used to process and store nonpublic information. Some data may now require an added level of security.

A greater emphasis must be put on securing data and defining who has access to assets containing nonpublic information.


In our next blog, we will touch on how this translates to real-world security measures that can be applied to comply with the new regulation.  

In the meantime, if you would like to learn how Balabit can help you comply with 23 NYCRR 500 download our white paper here.

by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

Audit Reporting in Shell Control Box

Shell Control Box (SCB), Balabit' privileged u er monitoring appliance, feature  a comprehen ive reporting y tem, which...

Best Practice for Incident Forensics

Today ecurity incident are a que tion of when, not if: every company, mall and large, face the threat of being a...

Calibrating anomaly scores

In thi blog po t, we are going to di cu how to calibrate anomaly core to make ure that the core are tru ted...

“Lorem ipsum dolor sit amet, consectetur adipisicing elit. Sint minima earum velit, dolorem fuga impedit onsectetur adipisicing dolorem.”

– Lorem ipsum, Lorem ipsum