Robert Fulghum, who brought us All I Really Need to Know I Learned in Kindergarten, sagely mused “[t]hink what a better world it would be if all … had a basic policy to always put things back where they found them and to clean up their own mess.” So true, throughout our lives, and especially with our data. But alas, too many of us napped through that kindergarten lesson.
Consider this. An account associate handled customer service requests at Healthplex, a New York licensed provider of dental insurance management services. This 20-year Healthplex employee also, over time, accumulated more than 100,000 work emails, containing the private health data and nonpublic information of tens of thousands of consumers.
Then, the inevitable happened. A phishing email elicited the employee’s o365 login credentials. Healthplex’s MFA function was not completely operational for those accessing o365 from an external web browser. And the bad guys gained direct access to a treasure trove of protected information.
As a New York Department of Financial Services licensee, Healthplex was subject to the NYDFS Cybersecurity Regulation. Those regulations include a data minimization/storage limitation requirement:
As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information … that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
N.Y. Comp. Codes R. & Regs., tit. 23, § 500.13(b).
What was the cost to Healthplex for permitting an employee to accumulate over 100,000 emails? Under its August 14, 2025 Consent Order, NYDFS assessed a civil monetary penalty against Healthplex of two million dollars, with no allowable tax treatment or insurance indemnification.
What’s the lesson here?
It’s not that New York has a quirky, outlier rule for insurance licensees. While the NYDFS Cybersecurity Regulation is bespoke, other states are adopting the NAIC’s Insurance Data Security Model Law, which requires insurance licensees to “[d]efine and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.” NAIC Model Law § 4(b)(4). The NAIC Model Law has now been enacted by at least 26 states.
Similarly, the lesson is not limited to insurance licensees. For example:
- The FTC’s Safeguards Rule requires that covered entities maintain procedures for securely disposing of customer information by two years after last used for providing related customer products or services, required unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. 16 C.F.R. § 314.4(c)(6)(i).
- Most states have laws requiring entities with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded. Alabama, Colorado, New Mexico, New York, Oregon, and Rhode Island require that records containing PII be securely disposed of when such records are no longer needed or legally required. Ala. Code § 8-38-10; Colo. Rev. Stat. § 6-1-713(1); N.M. Stat. Ann. § 57-12C-3; N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4); Or. Rev. Stat. § 646A.622(2)(d)(C)(iv); R.I. Gen. Laws § 11-49.3-2(a).
- Under most states’ consumer data privacy laws, “processing” includes storage of personal information, and statutory controllers must not process (e.g., store or retain) consumers’ personal information for purposes not reasonably necessary or compatible with the purposes disclosed to the consumer, absent consumer consent or a statutory exception. Colorado requires both controllers and their processors to delete personal data determined to no longer be necessary, adequate, or relevant to the express processing purposes. Colo. Code Regs. § 904-3(6.07)(B)(1). Florida controllers and processors must implement a retention schedule prohibiting retention of personal data after the initial collection or obtaining purpose is satisfied, or after expiration or termination of the contract pursuant to which the information was collected or obtained, or two years after the consumer’s last interaction with the controller or processor, absent a statutory exemption. Fla. Stat. § 501.719(3). And Minnesota controllers must not retain personal data that is no longer relevant and reasonably necessary for the purposes for which the data were collected and processed, unless retention is otherwise required by law or is permitted by specified exceptions in Minnesota’s consumer data privacy law. Minn. Stat. § 325M.16(2)(g).
Minimizing the data we keep, and limiting how long we keep it, have always been sensible and prudent things to do. Disposing of unnecessary data reduces data storage costs, minimizes future ediscovery data volumes, and mitigates data security and privacy exposures. And now, with more laws explicitly requiring data minimization and retention management (see here and here), data disposal has become a compliance imperative.
So here’s the lesson, for all of us, as clear as putting away our toys when we’re done playing, and keeping our spaces neat and tidy. Less data is more than ever.