01 / THE LOCAL LANDSCAPEFinancial data and patient records
New York City is the country's financial capital, and its banks, broker-dealers, insurers, and asset managers retire hardware that holds account data, trading records, and customer financial information. Alongside finance sit some of the nation's largest health systems and academic medical centers, whose retired devices carry protected health information.
The density matters: a single misrouted drive can hold tens of thousands of residents' financial or medical records. In a market this concentrated, the disposition of retired IT is a frontline data-security control, not a back-office afterthought.
02 / THE COMPLIANCE OVERLAYGLBA, NYDFS Part 500, and HIPAA
Financial institutions answer to GLBA safeguarding duties, SOX records controls, and New York's own NYDFS Cybersecurity Regulation (23 NYCRR 500), which requires secure disposal of nonpublic information. Health systems answer to HIPAA, whose Security Rule requires media sanitization before disposal or reuse. The destruction itself is measured against NIST 800-88.
State law raises the floor further: New York bans covered electronics from disposal and, under the SHIELD Act, requires notifying three state bodies on a breach. (See the New York state compliance page for the full disposal-and-breach picture.) Bottom line: in New York the question is never whether disposal is regulated, but how well you can prove you did it right.
03 / WHAT IT MEANSOne documented process for both regulators
A bank and a hospital face different regulators but the same disposition problem: prove the data on retired hardware is gone. One certified process answers both — chain of custody, NIST 800-88 sanitization or destruction, and a serialized certificate of destruction per asset that stands up to a GLBA examiner, a HIPAA auditor, and a SHIELD Act inquiry.
CyberCrunch is an R2v3, NAID AAA, RIOS, and PA DEP certified IT asset disposition and data destruction provider headquartered in Greensburg, Pennsylvania, serving organizations across New York City and all 50 states with on-site and facility-based destruction and documented recycling.
04 / SOURCESWhere this comes from
- NYDFS Cybersecurity Regulation (23 NYCRR Part 500) — NY Department of Financial Services — source
- New York breach & e-waste law — CyberCrunch New York compliance page — source
This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.
05 / FAQFrequently asked questions
How should a NYC financial firm dispose of old hardware?
Through a documented process meeting GLBA safeguarding, NYDFS Part 500 secure-disposal requirements, and NIST 800-88 destruction, with serialized certificates and chain of custody.
What does HIPAA require for retired devices?
The Security Rule requires sanitizing or destroying electronic protected health information on media before disposal or reuse; documentation evidences compliance.
Can a New York business landfill old computers?
No. New York bans covered electronics from disposal, and improper business disposal can draw penalties plus cleanup costs.
Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against the SHIELD Act's three-agency notification.