Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA.  It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  The FTC’s targeted businesses for Section 5 data security enforcement have ranged from the large and well-known to the small and obscure.  But the common theme is that the business, according to the FTC, either deceptively or unfairly engaged in unreasonable and inadequate data security practices for consumers’ personal information (PI).

In several Section 5 enforcement proceedings before 2019 the FTC alleged that the combination of several inadequate data security practices “taken together,” and including retaining consumers’ PI beyond any business need, can collectively be an unfair trade practice under Section 5.  Such past FTC data security matters mentioning over-retention include enforcement actions against BJ’s Wholesale Club, Inc., DSW Inc., Life is good, Inc., Ceridian Corporation, and Cbr Systems, Inc.

But in its recent Section 5 enforcement actions against InfoTrax Systems and SkyMed International, the FTC has changed its approach, elevating over-retention to be a core data security failure.  In each of these cases, as it had in the past, the FTC alleged multiple data security lapses, including the failure to dispose of PI once “no longer necessary.”  Yet the language of these recent complaints no longer uses the “taken together” language of the earlier enforcement actions, allowing over-retention of PI to stand on its own as an unreasonable data security practice.  And the consent orders in these cases, unlike the FTC’s earlier enforcement matters, set forth the explicit, independent requirement that the respondents must have policies, procedures, and measures to delete PI once it is no longer necessary.

In re InfoTrax Systems, L.C., No. C-4696 (F.T.C. December 30, 2019) (final complaint & consent order)

InfoTrax is a technology company that provides backend operations systems and online distributor tools for the direct sales industry.  InfoTrax possessed personal information of over eleven million consumers.  Through a series of intrusions into InfoTrax’s systems between 2014 and 2016, hackers accessed and exfiltrated the personal information of over one million of those consumers.

In a 2019 enforcement action under FTC Act Section 5, the FTC alleged that InfoTrax “engaged in a number of unreasonable security practices,” and among them that InfoTrax “ failed to have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary….”

The resulting consent order requires that InfoTrax, among other matters, must implement, maintain, and document security safeguards for consumers’ PI, including “Policies, procedures, and technical measures to systematically inventory Personal Information stored on [InfoTrax’s] network and delete Personal Information that is no longer necessary….”

In re SkyMed International, No. C-4732 (F.T.C. January 26, 2021) (final complaint & consent order)

SkyMed International sells emergency travel membership plans covering various emergency travel and medical evacuation services for members.  SkyMed thereby possessed personal identifying information, payment card information, and sensitive health information for thousands of customers.  In early 2019, a security researcher found an unsecured cloud database, maintained by SkyMed and publicly available in the internet, containing 130,000 membership records, with members’ personal information, including sensitive personal medical information, available in plain text.

In its Section 5 enforcement action, the FTC’s complaint alleged that SkyMed “has engaged in a number of practices that failed to provide reasonable security for the personal information it collected….”  Among other security failures, the FTC alleged that SkyMed “failed to have a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on [SkyMed’s] network that is no longer necessary….”  Notably, the complaint alleges that “consumers had no way to know about respondent’s security failures [plural],” and that SkyMed “could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC approved the settlement and consent agreement with SkyMed on January 26, 2021.  Under the consent order, SkyMed must implement, maintain, and document security safeguards, including “Policies, procedures, and technical measures to systematically inventory Personal Information in [SkyMed’s] control and delete Personal Information that is no longer necessary….”

These recent cases are not the first time that the FTC has encouraged data disposal as a security safeguard.  For example, the FTC’s 2015 guidance document Protecting Personal Information:  A Guide for Business included the “Scale Down” principle, which is to keep only what you need for your business:

“If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary. …  If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.”

Sound advice, then and now.  But it is only now, in the recent SkyMed and Infotrax enforcement matters, that the FTC has elevated this guidance into its Section 5 enforcement positions that (1) over-retention of consumer PI is a stand-alone unreasonable data security practice, and (2) a reasonable information security program includes data retention scheduling under which consumer PI is disposed of when no longer necessary.

One last point.  Consider how many business contracts have terms requiring reasonable data security by the counterparties, as well as how many laws generically require reasonable data security safeguards.  If the FTC’s position in SkyMed and Infotrax takes hold more broadly, the repercussions for over-retention will be sweeping in scope.