We’ve already seen how new FTC regulations for GLBA-regulated financial institutions require retention schedules and disposal of unnecessary data as essential data security controls. The FTC is now also taking that position for all businesses under Section 5 of the FTC Act, as seen in a slew of recent FTC data security enforcement actions.

Two years ago I summarized the history of FTC enforcement on this issue. For decades the FTC has enforced reasonable data security under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  The FTC has pursued inadequate security practices of both large and well-known businesses and of small and obscure companies.  But the common theme is that the targeted business, according to the FTC, either deceptively or unfairly engaged in unreasonable data security practices for consumers’ personal information.

What was notable two years ago were the FTC’s Section 5 enforcement actions against InfoTrax Systems in late 2019 and SkyMed International in early 2021. In re InfoTrax Systems, L.C., No. C-4696 (F.T.C. December 30, 2019) (final complaint & consent order); In re SkyMed International, No. C-4732 (F.T.C. January 26, 2021) (final complaint & consent order). In each of these enforcement actions, the FTC alleged that the business “failed to have a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on [its] network that is no longer necessary….”  And in each consent order the FTC required “[p]olicies, procedures, and technical measures to systematically inventory Personal Information in [its] control and delete Personal Information that is no longer necessary….”

I ended that 2021 post by observing “[i]f the FTC’s position in SkyMed and Infotrax takes hold more broadly, the repercussions for over-retention will be sweeping in scope.”

Sweeping indeed. In a flurry of 2022 and 2023 enforcement actions, the FTC has now doubled-down on its position that reasonable data security requires data retention schedules and disposal of unnecessary data:

Residual Pumpkin (and later its purchaser Planetart) operated the platform CafePress.com, on which consumers purchased customized t-shirts, coffee mugs, and similar merchandise from other consumers or “shopkeepers.”  CafePress’s operators routinely collected information from consumers and shopkeepers——including names, email addresses, telephone numbers, birth dates, gender, photos, social media handles, security questions and answers, passwords, PayPal addresses, the last four digits and expiration dates of credit cards, and Social Security or tax identification numbers of shopkeepers, storing this sensitive personal information in clear text, except for passwords, which were encrypted.

In its 2021 Section 5 enforcement action complaint, the FTC alleged that CafePress’s operators failed to protect the personal information of buyers and sellers stored on its network and to adequately respond to multiple security breaches.  Among other inadequate security practices,  CafePress’s operators “created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need.”

The FTC approved a settlement and consent agreement with CafePress’s operators on June 23, 2022.  The consent order mandates that CafePress’s operators establish, implement, and maintain a comprehensive information security program to protects the privacy, security, confidentiality, and integrity of collected personal information, including “[p]olicies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures….”  the FTC also assessed a civil penalty of $500,000.

Drizly, an Uber subsidiary, operates an e-commerce platform through which local retailers sell alcohol online to adult customers.  The Drizly platform collects and stores both personal information that consumers provide and information that it automatically obtains from consumers’ computers and mobile devices.

In its 2022 Section 5 enforcement action complaint against both Drizly and its cofounder and CEO Rellas, the FTC alleged that data security failures led to a data breach exposing personal information of 2.5 million consumers.  Among other alleged security failures, Drizly failed to “[h]ave a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on its network that was no longer necessary.”

The FTC finalized the settlement and consent agreement with Drizly and Rellas on January 10, 2023.  The consent order mandates that Drizly destroy any collected personal data not necessary to provide products or services to consumers, to document and report to the Commission what data it destroyed, and to refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. And to punctuate the FTC’s resolve, the consent order also requires Rellas to implement an information security program at future companies if he moves to a business that collects consumer information from more than 25,000 individuals, or where he is a majority owner, CEO, or senior officer with information security responsibilities.

  • In re Chegg, Inc., No. C-4782 (F.T.C. January 25, 2023) (complaint & consent order)

Chegg markets and sells direct-to-student educational products and services, primarily to high school and college students.  Chegg collects sensitive personal information from users, such as information about users’ religious denomination, heritage, birthdate, parents’ income range, sexual orientation, and disabilities for Chegg’s scholarship search service, and users’ images and voice in connection with Chegg’s online tutoring services.  As an employer, Chegg also collects such personal information as employees’ names, birth dates, Social Security numbers, and financial information.

The FTC alleged In its Section 5 enforcement action complaint that Chegg’s poor data security practices resulted in four separate data breaches and the unauthorized publication of 40 million customers’ personal information.  Among other alleged security lapses, Chegg “failed to have a policy, process, or procedure for inventorying and deleting users’ and employees’ personal information stored on Chegg’s network after that information is no longer necessary….”

On January 25, 2023, The FTC approved a settlement and consent agreement with Chegg.  The consent order requires Chegg to establish, implement, and maintain, a comprehensive information security program that protects the security, availability, confidentiality, and integrity of specified personal information of customers under Respondent’s control, including, among other security controls,  “[p]olicies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures….”  The consent order further requires Chegg to:

“Document and adhere to a retention schedule for Covered Information [meaning types of consumer personal information as defined in the consent order]. Such schedule shall set forth: (1) the purpose or purposes for which each type of Covered Information is collected; (2) the specific business needs for retaining each type of Covered Information; and (3) a set timeframe for deletion of each type of Covered Information (absent any intervening deletion requests from consumers) that precludes indefinite retention of any Covered Information….”

The FTC is also honing in upon unnecessary data retention in its recent privacy enforcement actions under FTC Act Section 5, punctuated by millions of dollars in civil penalties:

GoodRx Holdings, Inc. is a “consumer-focused digital healthcare platform” that advertises, distributes, and sells health-related products and services directly to consumers.  The FTC investigated GoodRx’s sharing of customer personal and health information with third party social media platforms and advertisers, as violations of FTC Act Section 5 and also of the FTC’s Health Breach Notification Rule.  The matter was resolved with a Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief filed in February 2023 in the United Stated District Court for the Northern District of California. 

Among the order’s various requirements, GoodRx must identify and instruct all entities that received personal information of GoodRx’s customers to delete all such information wrongfully received from GoodRx and to confirm such deletion in writing.  GoodRx must also establish, implement, and maintain a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of the consumers’ personal information.  One mandated safeguard for the privacy program is that GoodRx must establish and maintain a data retention policy that includes:

“a retention schedule that limits the retention of Covered Information for only as long as is reasonably necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be destroyed, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order;” and

“a requirement that each Covered Business document, adhere to, and make publicly available … a retention schedule for Covered Information, setting forth: (1) the purposes for which such information is collected; (2) the specific business need for retaining each type of Covered Information; and (3) a set timeframe for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumers) that precludes indefinite retention of any Covered Information.”

The Stipulated Order also assessed a civil penalty against GoodRx of $1,500,000.

BetterHelp offers online counseling services. Consumers fill out a questionnaire with sensitive mental health information and also provide their name, email address, birth date, and other personal information. BetterHelp promised consumers that it would not use or disclose their personal health data except for limited purposes, such as to provide counseling services. But according to the FTC, BetterHelp provided consumers’ email addresses, IP addresses, and health questionnaire information to such social media platforms as Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, which, along with other alleged data security and privacy program shortcomings, violated Section 5 of the FTC Act.

On March 2, 2023, the FTC approved a consent order with BetterHelp, subject to a thirty day public comment period.  The terms of the consent order mirror those in GoodRx summarized above, including the requirement that BetterHelp instruct entities to delete customer information wrongfully received from BetterHelp and to confirm such deletion, and also the same requirements to document, adhere to, and publish a retention schedule for consumers’ personal information “that precludes indefinite retention of any Covered Information.” 

The FTC also assessed a civil penalty against BetterHelp of $7,800,000.

The FTC is not being subtle about this. In case the message hasn’t landed, a February 2023 FTC blog post laid out three key elements for systemically addressing the security and privacy risks of complex data systems. Beyond multi-factor authentication and encrypted/ authenticated system connections, what is the third crucial element? You guessed it:

(3) Requiring companies to develop a data retention schedule, publish it, and then stick to it

A final provision is a requirement to develop a data retention schedule, publish it, and then stick to it. This embraces the premise that the most secure data is the data that’s not stored at all. Further, implementing this requirement inevitably requires companies to have a strong internal catalogue of all the data they store. This provides other benefits, such as ensuring that they’ll be able to comprehensively comply with requests from users to delete data and have the information needed to prioritize protections based on the types of data they’re storing. 

The FTC has updated its data security regulations for the financial institutions it regulates under the Gramm-Leach-Bliley Act (GLBA). The FTC’s revised requirements for information security programs, effective June 1, 2023, will now mandate data retention policies and disposal of unnecessary customer information.

To appreciate what this means, we must take a quick look at how we got here. GLBA, enacted back in 1999, required financial institution regulators to establish standards for safeguarding the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The regulators obliged, with varying approaches typical of our idiosyncratic U.S. financial regulatory ecosystem.  The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security controls requirements.  The NCUA adopted similarly specific safeguards for credit unions.  12 C.F.R. Part 748, App. A.    In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use.  For the insurance industry, GLBA security standards were left to state departments of insurance, consistent with federal deference to state-level regulation of insurance.

The key point here is that no federal GLBA regulator established security standards that directly required either data retention scheduling or the disposal of customer data no longer required for legal compliance or business purposes.  The banking agencies’ and NCUA’s standards spoke only to the proper means of disposal, not when customer data must be disposed of. And the SEC and FTC standards were silent on these topics.

Until now.

In 2021 the FTC took a fresh look at its Safeguards Rule, 16 C.F.R. Part 314, which was essentially untouched since first promulgated back in 2003. The resulting amendments updated the Rule to better address the current cyber-risk environment. And the amended Rule is more specific and granular in its required elements for the mandated information security program.

The significant point here is that the updated FTC Safeguards Rule for the first time adds data retention schedules and disposal of unnecessary data as required elements of a compliant security program for customer information. Entities subject to the amended Safeguards Rule must, effective June 1, 2023:

  • Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and
  • Periodically review your data retention policy to minimize the unnecessary retention of data. 16 C.F.R. § 314.4(c)(6).

This focus, on data retention schedules and data disposal as essential security controls for financial institutions, echoes a similar recent trend in state-level insurance laws under GLBA, discussed here, and also the New York DFS cybersecurity regulations for financial institutions, mentioned in Less Data #1. Yet it is also aligns with the FTC’s current view that retention schedules and data disposal are crucial to data security for all types of businesses. For example, the FTC’s 2016 guidance document Protecting Personal Information:  A Guide for Business stressed the “Scale Down” principle, which is to keep only what you need for your business:

“If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary. …  If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.”

So for some time now the FTC has been moving toward the position that data retention schedules and data disposal are essential for reasonable data security. This position is clearly reflected in the FTC’s amended GLBA Safeguards Rule. But how deeply has this position permeated the FTC’s actual enforcement of reasonable data security beyond the GLBA financial institution setting? We’ll explore that in Less Data #3.

As mentioned in the initial post in this series, data security laws are emerging with explicit requirements to dispose of unnecessary data. But will regulators take this seriously? The 2022 enforcement actions against EyeMed Vision Care LLC provide $ 5.1 million reasons to conclude yes.

First, some context. Carefully managing data retention and disposal is one of the most effective security safeguards for any business. You can’t have a breach of data your business no longer retains, right? But U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed. And similarly, data safeguards rules for the financial services sector under the Gramm-Leach-Bliley Act (GLBA) traditionally have not required either data retention policies or disposal of customer data once no longer required for legal compliance or business purposes. 

But this began to change in recent years:

  • Several states’ PII security laws now specifically require disposal of PII once no longer needed for business purposes (I summarized these developments in a 2021 post). A good example is New York’s SHIELD Act. As of 2020, the SHIELD Act requires businesses that own or license computerized data with PII of a New York resident to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.  To be deemed compliant, such businesses must “dispose of [PII] within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”  N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4) (emphasis added).
  • New York also established sweeping new data security rules specifically for the financial services sector. The Cybersecurity Requirements for Financial Services Companies of the New York State Department of Financial Services (NYDFS) apply broadly to financial services businesses licensed or registered under New York’s Banking Law, Insurance Law, or Financial Services Law.  23 NYCRR § 500.1(c).  The NYDFS Cybersecurity Rules broke new ground by requiring covered entities to have “policies and procedures for the secure disposal on a periodic basis of any nonpublic information … that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.” 23 NYCRR § 500.13.

So fine, we now have new data security laws requiring that businesses dispose of unnecessary data. But are regulators actually serious about this? Yes indeed – which brings us to EyeMed Vision Care LLC (EyeMed).

In re EyeMed Vision Care LLC, No. 21-071 (N.Y. January 18, 2022). The New York Attorney General conducted a SHIELD Act investigation of EyeMed in the wake of a data breach involving a hacker’s access to an EyeMed email account. The hacked account containing six years of sensitive personal data provided by 2.1 million EyeMed customers for vision benefits enrollment and coverage purposes.  The matter was settled in early 2022. The Assurance of Discontinuance included the Attorney General’s finding that “[i]t was unreasonable to leave personal information in the affected email account for up to six years rather than to copy and store such information in more secure systems and delete the older messages from the affected email account, particularly in light of the unreasonable protections for the affected email account at the time of the breach….”  Among other mandates, the Assurance requires EyeMed to “permanently delete customer Personal Information when there is no reasonable business or legal purpose to retain it.”  EyeMed was also assessed a penalty of $600,000.   

In re EyeMed Vision Care LLC (NYDFS October 18, 2022). EyeMed’s troubles were not over.  As an NYDFS licensee due to the insurance aspects of its business, EyeMed was also investigated by NYDFS under its cybersecurity regulations. The parties reached a settlement under an NYDFS consent order in October 2022.   Among other findings of cybersecurity failings, NYDFS found that “because EyeMed failed to implement a sufficient data minimization strategy and disposal process for the Mailbox, the compromised shared Mailbox contained old data that was accessible to the threat actor. Proper disposal processes minimize the amount of NPI accessible to an unauthorized third party during a Cyber Event.”  Thus, “[a]t the time of the Cyber Event, EyeMed did not have policies and procedures in place for the secure disposal on a periodic basis of NPI contained within the Mailbox that was no longer necessary for business operations or other legitimate business purpose, in violation of 23 NYCRR § 500.13.”  The NYDFS consent order required EyeMed to perform a compliant security risk assessment and establish compliant security controls.  NYDFS also assessed a civil penalty against EyeMed of $4,500,000, without recourse to tax treatment or insurance reimbursement.

EyeMed offers a cautionary tale. Not only do state-level data security laws increasingly require disposal of unnecessary data, but regulators appear willing and serious in enforcing retention schedule and data disposal mandates.

Two years ago I made a prediction: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.”

This was the last line of a 2021 blog series exploring then-recent developments in United States’ data privacy and security laws that had begun to transform retention schedules and data disposal from merely prudent practices into compliance requirements.

So, where do things stand now? The trend continues, and it is actually accelerating – less data is now even more than ever.

Managing data volumes has always been prudent for U.S. businesses.  But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a required minimum retention period, but not compelling disposal.  With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data.  And U.S. privacy and data security laws have generally been silent on retention periods for protected information.

But that was then. Two years ago I mapped changes in U.S. data security and privacy laws that would now require data retention scheduling and disposal of unnecessary data, under:

But what I failed to anticipate was how rapidly the pace would quicken. Two years later, all of the changes noted above continue, but now with the accelerants of:

  • New state-level data security enforcement activity that compels data retention schedules and data disposal;
  • New GLBA data security rules requiring retention schedules and disposal of unnecessary data;
  • An upsurge in FTC data security enforcement actions that put data retention and disposal at center stage;
  • A new biometric privacy court ruling under BIPA on data retention schedule requirements; and
  • A growing wave of new comprehensive state consumer privacy laws mandating data minimization, data retention schedules, and disposal of unnecessary data.  

I’ll explore each of these in upcoming posts … stay tuned.

Messy white jigsaw puzzle piecesIt’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. 

Scope of PII

State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition: Continue Reading The Puzzle of State PII Breach Notification Statutes

In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements:

  • State statutes on PII data security and data disposal in Alabama, Colorado, New Mexico, New York, Oregon, and Rhode Island now require that PII be disposed of when no longer required by retention laws or otherwise needed for business purposes.
  • New York’s DFS cybersecurity regulations now require DFS-regulated financial services businesses to have a records retention schedule tying retention of nonpublic information to legal requirements and business need, and to dispose of such data when it is no longer necessary for legal compliance or legitimate business purposes.
  • State data security statutes in Alabama, Connecticut, Delaware, Indiana, Kentucky, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia now (or effective soon, will) require insurance licensees to have a retention schedule for nonpublic information and a mechanism for its disposal when no longer needed.
  • In 2019 and 2021 data security enforcement actions under FTC Act Section 5, the FTC now takes the position that over-retention of consumer PI is itself an unreasonable data security practice, and that a reasonable information security program includes data retention scheduling under which consumer PI is disposed of when no longer necessary.
  • State biometric data privacy statutes in Illinois, Texas, and Washington now require that biometric data subject to statutory protection must generally be disposed of after the collection purpose has been satisfied, and Illinois’ BIPA also requires that covered businesses must maintain and must comply with a publicly available, written data retention schedule for biometric data.
  • California’s CCPA, due to the consumers’ right to request deletion of personal information, incents covered businesses to manage consumer PI under a legally-validated retention schedule and to dispose of such PI under the retention schedule once the PI is no longer needed to comply with legal retention requirements and the business’s needs for the consumer transaction or contract.
  • Virginia’s Consumer Data Protection Act (CDPA), signed into law this week and effective January 1, 2023, will require covered businesses (“data controllers”) to limit their collection of personal data and to generally not retain personal data for purposes not reasonably necessary to, or compatible with, the disclosed purposes for which such personal data is processed, unless the consumer consents.
  • And under the California Consumer Privacy Rights Act (CPRA), effective January 1, 2023, covered businesses will be required to manage PI under data retention schedule rules disclosed through notice to consumers, including their employees, and to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use.

Virtually every one the above changes in data security and data privacy laws has happened in just the last few years, with similar legislation percolating in additional states’ legislatures across the country.  The trend is unmistakable, and the pace of change is quickening.  Managing data with retention scheduling and disposing of unnecessary data are becoming compliance requirements for data privacy and security.

What to do about this?

  • Clarify what constitutes protected information, based on your business’s geographic footprint and scope of operations.
  • Understand where protected information resides, both in your business’s data systems and through your relationships with service providers and contractors.
  • Update and legally validate your business’s data retention schedule, with particular attention to legally required retention periods for records and data sets containing protected information.
  • With that foundation in place, ensure that your business’s policies, contracts, privacy notices, training, and compliance systems ensure compliant practices for the safeguarding, timely disposal, and other processing of protected information.

But wait … aren’t these the same things that have always been good to do?  Of course.  Managing records and information (more broadly, Information Governance) has consistently been prudent, and increasingly so as our digital age has multiplied the volume and velocity of business data. Yet in the real world, what to do has never been as impactful as why to do it.  There needs to be an impetus to govern information, or at least to do it better, that drives actual change within the business.

In the 2000s, a powerful impetus for managing information retention and disposal was the rise of ediscovery, triggering concerns about (1) explosive litigation costs due to unnecessarily retained data and (2) the specter of spoliation sanctions if information is managed carelessly or poorly.  In the 2010s, a new impetus was the fear of data breaches, with their resulting reputational damage, business interruption, regulatory implications, and legal exposures, which are all multiplied by retaining unnecessary data.

For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA.  It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  The FTC’s targeted businesses for Section 5 data security enforcement have ranged from the large and well-known to the small and obscure.  But the common theme is that the business, according to the FTC, either deceptively or unfairly engaged in unreasonable and inadequate data security practices for consumers’ personal information (PI).

In several Section 5 enforcement proceedings before 2019 the FTC alleged that the combination of several inadequate data security practices “taken together,” and including retaining consumers’ PI beyond any business need, can collectively be an unfair trade practice under Section 5.  Such past FTC data security matters mentioning over-retention include enforcement actions against BJ’s Wholesale Club, Inc., DSW Inc., Life is good, Inc., Ceridian Corporation, and Cbr Systems, Inc.

But in its recent Section 5 enforcement actions against InfoTrax Systems and SkyMed International, the FTC has changed its approach, elevating over-retention to be a core data security failure.  In each of these cases, as it had in the past, the FTC alleged multiple data security lapses, including the failure to dispose of PI once “no longer necessary.”  Yet the language of these recent complaints no longer uses the “taken together” language of the earlier enforcement actions, allowing over-retention of PI to stand on its own as an unreasonable data security practice.  And the consent orders in these cases, unlike the FTC’s earlier enforcement matters, set forth the explicit, independent requirement that the respondents must have policies, procedures, and measures to delete PI once it is no longer necessary. Continue Reading Less data is more than ever: The FTC and the reasonable data security program

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data.  Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.

First, some brief context.  The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem.  The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements.  The NCUA adopted similarly specific safeguards for credit unions.  12 C.F.R. Part 748, App. A.    In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use.  And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.

The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes.  The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.

But this is beginning to change.  And as seen elsewhere in this series, states are leading the way: Continue Reading Less data is more than ever: state-level data security laws for the financial services sector

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains.  Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business.  Yet oddly, U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed.  And state laws requiring secure disposal of records containing PII have commonly focused on how such records must compliantly be disposed of, not when.  But recent changes in state-level security program and secure disposal statutes signal a change, with state laws now requiring businesses to dispose of PII when no longer required by retention laws or otherwise needed for business purposes.

State-level Secure Disposal Laws 

A majority of the states have statutes requiring businesses with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded.  Most such statutes were enacted in the 2000s and, similar to the federal Disposal Rule under FACTA, specify compliant means for securely disposing of protected information.  For examples, Nevada as of 2006 requires secure destruction or records containing customer personal information “when the business decides that it will no longer maintain the records,” and New York in 2006 mandated secure disposal of records containing PII, without any mention of when such records should be disposed of.   Nev. Rev. Stat. § 603A.200(1); N.Y. Gen. Bus. Law § 399-h(2).

But now, such state-level secure disposal statutes have begun to also speak to when such records must be disposed of, tied to legal retention requirements and business need: Continue Reading Less data is more than ever: state PII data security and disposal laws

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Today’s companion post explores how the California Consumer Privacy Act (CCPA), without statutory provisions explicitly requiring data minimization or storage limitation, nevertheless incents covered businesses to carefully manage retention and disposal of personal information (PI).  But less than two years from now, the script gets flipped, with California mandating both data minimization and storage limitation for businesses covered by the California Privacy Rights Act (CPRA).

The CPRA became law through a November 2020 ballot initiative.  Generally effective on January 1, 2023, the CPRA makes sweeping changes to the CCPA, including new provisions that directly require data retention management and data disposal.  Under the CPRA, covered businesses:

  • Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
  • Must not retain PI for longer than is reasonably necessary and proportionate for the disclosed purpose(s) of collection or processing.

Cal. Civ. Code § 1798.100(a)(3) & (c) (effective January 1, 2023).  Thus, for the first time under any U.S. federal or state comprehensive data privacy law, The CPRA will explicitly and directly require covered businesses (1) to manage the CPRA’s broad range of PI under data retention schedule rules disclosed through notice to consumers, and (2) to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use. Continue Reading Less data is more than ever: the CPRA and beyond