Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments). Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.
Managing data volumes has always been prudent. Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures. Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola: “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”
But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal. With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data. And U.S. privacy and data security laws have generally been silent on retention periods for protected information. For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.
Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws. I’ll dig deeper into these developments in upcoming posts, but here are the high points:
Continue Reading For U.S. businesses, less data is more than ever
In early 2018, outbreaks of a novel parainfluenza virus erupted in Frankfurt, Germany and Caracas, Venezuela. United States soldiers serving abroad contracted the virus, and an exchange student returning to a small New England college campus triggered the initial cases in our country. The virus spread by coughing and caused severe symptoms in about half of those infected, killing 20% of severely ill patients. With no vaccination available, the novel virus spread rapidly across the globe. Within a year, the virus – Clade X – killed 15 million Americans and 150 million people world-wide.
Eisenhower famously 
“If anything kills over 10 million people in the next few decades, it’s most likely to be a highly infectious virus, rather than a war. Not missiles, but microbes.” That’s from Bill Gates’ 2015 
It’s been a challenging 2020, as each of us adapts to our new pandemic reality. In the United States as of today, 
Management support is crucial for successful Information Governance initiatives. This is not merely a question of initial project and budget approvals. Most Information Governance initiatives involve behavioral changes in how data is handled, and in many instances, aspects of organizational culture may be impacted. No matter the ultimate benefits, any initiative involving behavioral change will
I’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.