Retention & Defensible Disposal

Subscribe to Retention & Defensible Disposal via RSS

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data.  Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.

First, some brief context.  The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem.  The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements.  The NCUA adopted similarly specific safeguards for credit unions.  12 C.F.R. Part 748, App. A.    In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use.  And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.

The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes.  The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.

But this is beginning to change.  And as seen elsewhere in this series, states are leading the way:
Continue Reading Less data is more than ever: state-level data security laws for the financial services sector

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains.  Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business.  Yet oddly, U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed.  And state laws requiring secure disposal of records containing PII have commonly focused on how such records must compliantly be disposed of, not when.  But recent changes in state-level security program and secure disposal statutes signal a change, with state laws now requiring businesses to dispose of PII when no longer required by retention laws or otherwise needed for business purposes.

State-level Secure Disposal Laws 

A majority of the states have statutes requiring businesses with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded.  Most such statutes were enacted in the 2000s and, similar to the federal Disposal Rule under FACTA, specify compliant means for securely disposing of protected information.  For examples, Nevada as of 2006 requires secure destruction or records containing customer personal information “when the business decides that it will no longer maintain the records,” and New York in 2006 mandated secure disposal of records containing PII, without any mention of when such records should be disposed of.   Nev. Rev. Stat. § 603A.200(1); N.Y. Gen. Bus. Law § 399-h(2).

But now, such state-level secure disposal statutes have begun to also speak to when such records must be disposed of, tied to legal retention requirements and business need:
Continue Reading Less data is more than ever: state PII data security and disposal laws

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Today’s companion post explores how the California Consumer Privacy Act (CCPA), without statutory provisions explicitly requiring data minimization or storage limitation, nevertheless incents covered businesses to carefully manage retention and disposal of personal information (PI).  But less than two years from now, the script gets flipped, with California mandating both data minimization and storage limitation for businesses covered by the California Privacy Rights Act (CPRA).

The CPRA became law through a November 2020 ballot initiative.  Generally effective on January 1, 2023, the CPRA makes sweeping changes to the CCPA, including new provisions that directly require data retention management and data disposal.  Under the CPRA, covered businesses:

  • Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
  • Must not retain PI for longer than is reasonably necessary and proportionate for the disclosed purpose(s) of collection or processing.

Cal. Civ. Code § 1798.100(a)(3) & (c) (effective January 1, 2023).  Thus, for the first time under any U.S. federal or state comprehensive data privacy law, The CPRA will explicitly and directly require covered businesses (1) to manage the CPRA’s broad range of PI under data retention schedule rules disclosed through notice to consumers, and (2) to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use.
Continue Reading Less data is more than ever: the CPRA and beyond

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

The California Consumer Privacy Act, effective January 1, 2020, was the United States’ first state-level comprehensive data privacy law.  And the CCPA blogging blitzkreig has not been merely hype – the CCPA presages a fundamental shift in U.S. privacy law.

The statute was a bit convoluted in its original form, almost as if the California legislature had hurriedly cobbled it together in a week’s time to avoid different provisions becoming law through a ballot initiative spearheaded by private activists, and which would have been essentially immune to subsequent direct amendment by the legislature (oops, that’s actually what happened).  Today’s CCPA is the also the product of a flurry of legislative clean-up amendments, supplemented by now-final California regulations (not that anything is ever quite final in California), and with a few targeted statutory amendments effective now due to last November’s adoption of the CPRA by ballot referendum.

Much thoughtful guidance is available elsewhere on the CCPA’s scope, applicability, and the various consumer rights it creates, including notice/transparency, access, deletion, and sale opt-out.  Our narrow focus here is on whether and how the CCPA affects the need of covered businesses (1) to manage PI with retention scheduling and (2) to dispose of PI once no longer necessary.Continue Reading Less data is more than ever: the CCPA

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation.  The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on notice and consent and have avoided requiring businesses (1) to manage data under a retention schedule and (2) to dispose of personal data once no longer necessary for legal compliance or business need.

This began to change in state laws focused on a small niche of privacy – biometric data privacy.  Data security for biometric data is becoming a staple of state-level breach notification statutes (to date, in 17 states and the District of Columbia) and in some states’ laws that affirmatively require reasonable data security programs for protected personal information.  But state-level data privacy laws for biometric data have been more of an outlier.

Illinois’ Biometric Information Privacy Act (BIPA) became effective in 2008.  BIPA has been blogged about endlessly, largely because, after a bit of a sleepy start, its provisions allowing private-party class actions for statutory damages (thereby bypassing the standing impediment vexing many privacy and data security claimants) thrust BIPA to center stage in headline-grabbing litigation.

Our focus here is on a particular provision in BIPA:
Continue Reading Less data is more than ever: state biometric data privacy laws

Digital DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.  

Forgive me, but to fully appreciate the impact of state data privacy laws on managing records retention and disposing of unnecessary data, a bit of history is needed (if you’re allergic to history, skip this post).  Our focus is through the narrow lens of two key elements of data privacy regimes: data minimization (only collecting the minimum of personal data needed for the collection purposes) and storage limitation (only keeping personal data for as long as needed for these purposes).

United States data privacy law is a global outlier.  That’s ironic, given that the building blocks of modern data privacy law, the Fair Information Privacy Practices (FIPPs), were first expressed in a 1973 report by the U.S. Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens.  As originally framed, the FIPPs (Transparency, Access, Choice, Correction, and Quality/Protection) did not speak directly to data minimization or storage limitation.  At least at the outset, the FIPPs did not expressly call for minimizing collection of personal data or deleting personal data once its collection purpose was satisfied.

If data privacy were a religion, and the FIPPs its original Word, what came next was inevitable – inspiration spread globally and resulted in various denominations, each restating and taking the core beliefs in different directions, as influenced by cultural factors and, with data privacy law, governing philosophies:
Continue Reading Less data is more than ever: for context, a ridiculously brief history of U.S. data privacy law

Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments).  Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.

Managing data volumes has always been prudent.  Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures.  Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola:  “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal.  With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data.  And U.S. privacy and data security laws have generally been silent on retention periods for protected information.  For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.

Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws.  I’ll dig deeper into these developments in upcoming posts, but here are the high points:
Continue Reading For U.S. businesses, less data is more than ever

Destroyed CDs - shredded by a shredder.It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data.  That’s nonsense.  It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.

Even the courts themselves dispose of their data.  Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.

Here are but a few of the many case decisions on this point:
Continue Reading Why govern our information? Reason #6: It’s OK to destroy business data. Really.

Endless book tunnel in Prague libraryAs the information tide relentlessly rises, many organizations simply see an IT problem, to be fixed with a purely IT solution – more storage capacity, more tools, or both.  But merely adding more storage is a reaction, not a strategy.  And adding technology tools without the right governance rules invariably makes things worse, not better.

This is not a criticism of your IT team.  Instead, the problem lies in a misunderstanding of the fundamental challenge.  Just as you shouldn’t bring a knife to a gun fight, you shouldn’t merely bring more storage capacity and IT tools-without-rules to your fight to regain control over your organization’s information.  What’s needed is governance.

More Storage is Not the Answer

If the accelerating, worldwide growth of data were a throw-back movie, it would star Vin Diesel – Fast & Furious.  It’s hard to wrap one’s head around the magnitude and velocity.  Try this – for context, the total content of all catalogued books in the Library of Congress has been estimated variously at 10 to 15 terabytes of data.  IDC’s Data Age 2025 study pegged the world’s 2018 data volume at 33 zetabytes (33 billion terabytes), and forecasted that data volume will reach 175 zetabytes by 2025, a more than quadruple increase.  In case your head hasn’t exploded … apparently 1,000 zetabytes is a yottabyte, and as of yet there is no officially recognized International System of Units name for 1,000 of those (I propose “Lottabyte”).

Why the dizzying growth?  Internet use is certainly a contributor (a lot can happen there each minute).  But it is the Internet of Things, combined with the Industrial Internet, that will increasingly generate gobsmacking quantities of device and machine data.

Let’s hone in on the reality faced by individual organizations. Unstructured data (documents, spreadsheets, presentations, audio and video files, email, and the like) can comprise 80% to 90% of total enterprise data.  Unstructured data is often largely uncontrolled, scattered across network drives, user’s computers, and the organization’s electronic content management (ECM), collaboration, and e-communication systems.

Veritas’ Data Genomics Project produced an interesting 2016 study that analyzed tens of billions of unstructured data files, with over 8000 file extensions, at Fortune 500 companies.  Key finding?  Storage capacity grows each year, but so does data volume – 39% annual growth in the number of unstructured data files, year over year.  Just as a bigger closet or garage at home results in the accumulation of more stuff, when businesses add larger on-premise or cloud repositories without governance controls, it inevitably leads to larger data volumes.  More storage simply enables more data hoarding.

Tools Without Rules are No Help Either

Continue Reading Why govern our information? Reason #7: Merely adding more storage and more tools won’t solve your data problems

One Bullet in Gun BarrelHaving too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses.  Keeping data without a legal or business reason also exacerbates data security exposures.  To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.

Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire.   PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….”  HIPAA regulations  mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible.  Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed.  And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.

Instead, most such laws and standards focus on securely sanitizing or destroying storage media.  For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”

But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls.  And one of the most powerful security controls is to not keep too much data, for too long.
Continue Reading Why govern our information? Reason #9: Unnecessary business data multiplies data security exposures