This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains. Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business. Yet oddly, U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed. And state laws requiring secure disposal of records containing PII have commonly focused on how such records must compliantly be disposed of, not when. But recent changes in state-level security program and secure disposal statutes signal a change, with state laws now requiring businesses to dispose of PII when no longer required by retention laws or otherwise needed for business purposes.
State-level Secure Disposal Laws
A majority of the states have statutes requiring businesses with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded. Most such statutes were enacted in the 2000s and, similar to the federal Disposal Rule under FACTA, specify compliant means for securely disposing of protected information. For examples, Nevada as of 2006 requires secure destruction or records containing customer personal information “when the business decides that it will no longer maintain the records,” and New York in 2006 mandated secure disposal of records containing PII, without any mention of when such records should be disposed of. Nev. Rev. Stat. § 603A.200(1); N.Y. Gen. Bus. Law § 399-h(2).
But now, such state-level secure disposal statutes have begun to also speak to when such records must be disposed of, tied to legal retention requirements and business need:
Continue Reading Less data is more than ever: state PII data security and disposal laws