We’ve already seen how new FTC regulations for GLBA-regulated financial institutions require retention schedules and disposal of unnecessary data as essential data security controls. The FTC is now also taking that position for all businesses under Section 5 of the FTC Act, as seen in a slew of recent FTC data security enforcement actions.

Two

The FTC has updated its data security regulations for the financial institutions it regulates under the Gramm-Leach-Bliley Act (GLBA). The FTC’s revised requirements for information security programs, effective June 1, 2023, will now mandate data retention policies and disposal of unnecessary customer information.

To appreciate what this means, we must take a quick look at

Two years ago I made a prediction: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.”

This was the last line of a 2021 blog series exploring then-recent developments in United States’ data privacy and security

Messy white jigsaw puzzle piecesIt’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. 

Scope of PII

State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition:
Continue Reading The Puzzle of State PII Breach Notification Statutes

In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements:

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA.  It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  The FTC’s targeted businesses for Section 5 data security enforcement have ranged from the large and well-known to the small and obscure.  But the common theme is that the business, according to the FTC, either deceptively or unfairly engaged in unreasonable and inadequate data security practices for consumers’ personal information (PI).

In several Section 5 enforcement proceedings before 2019 the FTC alleged that the combination of several inadequate data security practices “taken together,” and including retaining consumers’ PI beyond any business need, can collectively be an unfair trade practice under Section 5.  Such past FTC data security matters mentioning over-retention include enforcement actions against BJ’s Wholesale Club, Inc., DSW Inc., Life is good, Inc., Ceridian Corporation, and Cbr Systems, Inc.

But in its recent Section 5 enforcement actions against InfoTrax Systems and SkyMed International, the FTC has changed its approach, elevating over-retention to be a core data security failure.  In each of these cases, as it had in the past, the FTC alleged multiple data security lapses, including the failure to dispose of PI once “no longer necessary.”  Yet the language of these recent complaints no longer uses the “taken together” language of the earlier enforcement actions, allowing over-retention of PI to stand on its own as an unreasonable data security practice.  And the consent orders in these cases, unlike the FTC’s earlier enforcement matters, set forth the explicit, independent requirement that the respondents must have policies, procedures, and measures to delete PI once it is no longer necessary.
Continue Reading Less data is more than ever: The FTC and the reasonable data security program

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data.  Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.

First, some brief context.  The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem.  The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements.  The NCUA adopted similarly specific safeguards for credit unions.  12 C.F.R. Part 748, App. A.    In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use.  And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.

The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes.  The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.

But this is beginning to change.  And as seen elsewhere in this series, states are leading the way:
Continue Reading Less data is more than ever: state-level data security laws for the financial services sector