Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains.  Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business.  Yet oddly, U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed.  And state laws requiring secure disposal of records containing PII have commonly focused on how such records must compliantly be disposed of, not when.  But recent changes in state-level security program and secure disposal statutes signal a change, with state laws now requiring businesses to dispose of PII when no longer required by retention laws or otherwise needed for business purposes.

State-level Secure Disposal Laws 

A majority of the states have statutes requiring businesses with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded.  Most such statutes were enacted in the 2000s and, similar to the federal Disposal Rule under FACTA, specify compliant means for securely disposing of protected information.  For examples, Nevada as of 2006 requires secure destruction or records containing customer personal information “when the business decides that it will no longer maintain the records,” and New York in 2006 mandated secure disposal of records containing PII, without any mention of when such records should be disposed of.   Nev. Rev. Stat. § 603A.200(1); N.Y. Gen. Bus. Law § 399-h(2).

But now, such state-level secure disposal statutes have begun to also speak to when such records must be disposed of, tied to legal retention requirements and business need:

    • Alabama, effective 2018, requires that a business “take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally identifying information within its custody or control when the records are no longer to be retained pursuant to applicable law, regulations, or business needs.”  Ala. Code § 8-38-10 (emphasis added).
    • Colorado, as of 2018, requires businesses to maintain a written policy for secure disposal of documents containing PII, and that such disposal policies “must require that, when such paper or electronic documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information within its custody or control that contain personal identifying information by [specified security measures].”  Colo. Rev. Stat. § 6-1-713(1) (emphasis added).
    • New Mexico, effective 2017, mandates that “[a] person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes.”  N.M. Stat. Ann. § 57-12C-3 (emphasis added).
    • Rhode Island, effective as of 2016, requires that businesses “shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law.  R.I. Gen. Laws § 11-49.3-2(a) (emphasis added).

State-level Data Security Program Laws

At least 20 states over the last two decades have enacted laws mandating that businesses with PII of state residents maintain reasonable security procedures and practices.  The vast majority of such state statutes have simply required “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” without specifying any particular security controls or measures.  See, e.g., Cal. Civ. Code § 1798.81.5(b).  Massachusetts garnered attention back in 2010 when it required that businesses comply with its regulatory Standards for the Protection of Personal Information of Residents of the Commonwealth, which contains numerous specific data security requirements, but is nevertheless silent on when to dispose of PII.  201 Mass. Code Regs. 17.00.

For many years the sole outlier on this point was Oregon’s 2008 statute, which lists various security measures that, if implemented, would allow a business’s information security program to be deemed compliant.  One such security measure is “[d]isposing of personal information … after the covered entity or vendor no longer needs the personal information for business purposes or as required by local, state or federal law by [specified security measures].”  Or. Rev. Stat. § 646A.622(2)(d)(C)(iv).

But Oregon is no longer an outlier.  As of 2020, New York now requires businesses that own or license computerized data with PII of a New York resident to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.  Among the listed security measures needed to be deemed compliant is that the business “disposes of [PII] within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”  N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4) (emphasis added).

So now, businesses with PII of residents of Alabama, Colorado, New Mexico, New York, Oregon, and Rhode Island must comply with data security and disposal laws requiring that PII be disposed of when no longer required by retention laws or otherwise needed for business purposes.

And since most of these states adopted these requirements in just the last few years, the trend suggests that such requirements may spread to yet more states.  Prudent companies will carefully manage retention of their PII data, with retention scheduling tied to legal retention requirements and business needs.