As mentioned in the initial post in this series, data security laws are emerging with explicit requirements to dispose of unnecessary data. But will regulators take this seriously? The 2022 enforcement actions against EyeMed Vision Care LLC provide $ 5.1 million reasons to conclude yes.

First, some context. Carefully managing data retention and disposal is one of the most effective security safeguards for any business. You can’t have a breach of data your business no longer retains, right? But U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed. And similarly, data safeguards rules for the financial services sector under the Gramm-Leach-Bliley Act (GLBA) traditionally have not required either data retention policies or disposal of customer data once no longer required for legal compliance or business purposes. 

But this began to change in recent years:

  • Several states’ PII security laws now specifically require disposal of PII once no longer needed for business purposes (I summarized these developments in a 2021 post). A good example is New York’s SHIELD Act. As of 2020, the SHIELD Act requires businesses that own or license computerized data with PII of a New York resident to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.  To be deemed compliant, such businesses must “dispose of [PII] within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”  N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4) (emphasis added).
  • New York also established sweeping new data security rules specifically for the financial services sector. The Cybersecurity Requirements for Financial Services Companies of the New York State Department of Financial Services (NYDFS) apply broadly to financial services businesses licensed or registered under New York’s Banking Law, Insurance Law, or Financial Services Law.  23 NYCRR § 500.1(c).  The NYDFS Cybersecurity Rules broke new ground by requiring covered entities to have “policies and procedures for the secure disposal on a periodic basis of any nonpublic information … that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.” 23 NYCRR § 500.13.

So fine, we now have new data security laws requiring that businesses dispose of unnecessary data. But are regulators actually serious about this? Yes indeed – which brings us to EyeMed Vision Care LLC (EyeMed).

In re EyeMed Vision Care LLC, No. 21-071 (N.Y. January 18, 2022). The New York Attorney General conducted a SHIELD Act investigation of EyeMed in the wake of a data breach involving a hacker’s access to an EyeMed email account. The hacked account containing six years of sensitive personal data provided by 2.1 million EyeMed customers for vision benefits enrollment and coverage purposes.  The matter was settled in early 2022. The Assurance of Discontinuance included the Attorney General’s finding that “[i]t was unreasonable to leave personal information in the affected email account for up to six years rather than to copy and store such information in more secure systems and delete the older messages from the affected email account, particularly in light of the unreasonable protections for the affected email account at the time of the breach….”  Among other mandates, the Assurance requires EyeMed to “permanently delete customer Personal Information when there is no reasonable business or legal purpose to retain it.”  EyeMed was also assessed a penalty of $600,000.   

In re EyeMed Vision Care LLC (NYDFS October 18, 2022). EyeMed’s troubles were not over.  As an NYDFS licensee due to the insurance aspects of its business, EyeMed was also investigated by NYDFS under its cybersecurity regulations. The parties reached a settlement under an NYDFS consent order in October 2022.   Among other findings of cybersecurity failings, NYDFS found that “because EyeMed failed to implement a sufficient data minimization strategy and disposal process for the Mailbox, the compromised shared Mailbox contained old data that was accessible to the threat actor. Proper disposal processes minimize the amount of NPI accessible to an unauthorized third party during a Cyber Event.”  Thus, “[a]t the time of the Cyber Event, EyeMed did not have policies and procedures in place for the secure disposal on a periodic basis of NPI contained within the Mailbox that was no longer necessary for business operations or other legitimate business purpose, in violation of 23 NYCRR § 500.13.”  The NYDFS consent order required EyeMed to perform a compliant security risk assessment and establish compliant security controls.  NYDFS also assessed a civil penalty against EyeMed of $4,500,000, without recourse to tax treatment or insurance reimbursement.

EyeMed offers a cautionary tale. Not only do state-level data security laws increasingly require disposal of unnecessary data, but regulators appear willing and serious in enforcing retention schedule and data disposal mandates.

Two years ago I made a prediction: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.”

This was the last line of a 2021 blog series exploring then-recent developments in United States’ data privacy and security laws that had begun to transform retention schedules and data disposal from merely prudent practices into compliance requirements.

So, where do things stand now? The trend continues, and it is actually accelerating – less data is now even more than ever.

Managing data volumes has always been prudent for U.S. businesses.  But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a required minimum retention period, but not compelling disposal.  With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data.  And U.S. privacy and data security laws have generally been silent on retention periods for protected information.

But that was then. Two years ago I mapped changes in U.S. data security and privacy laws that would now require data retention scheduling and disposal of unnecessary data, under:

But what I failed to anticipate was how rapidly the pace would quicken. Two years later, all of the changes noted above continue, but now with the accelerants of:

  • New state-level data security enforcement activity that compels data retention schedules and data disposal;
  • New GLBA data security rules requiring retention schedules and disposal of unnecessary data;
  • An upsurge in FTC data security enforcement actions that put data retention and disposal at center stage;
  • A new biometric privacy court ruling under BIPA on data retention schedule requirements; and
  • A growing wave of new comprehensive state consumer privacy laws mandating data minimization, data retention schedules, and disposal of unnecessary data.  

I’ll explore each of these in upcoming posts … stay tuned.

Messy white jigsaw puzzle piecesIt’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. 

Scope of PII

State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition: Continue Reading The Puzzle of State PII Breach Notification Statutes

In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements:

  • State statutes on PII data security and data disposal in Alabama, Colorado, New Mexico, New York, Oregon, and Rhode Island now require that PII be disposed of when no longer required by retention laws or otherwise needed for business purposes.
  • New York’s DFS cybersecurity regulations now require DFS-regulated financial services businesses to have a records retention schedule tying retention of nonpublic information to legal requirements and business need, and to dispose of such data when it is no longer necessary for legal compliance or legitimate business purposes.
  • State data security statutes in Alabama, Connecticut, Delaware, Indiana, Kentucky, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia now (or effective soon, will) require insurance licensees to have a retention schedule for nonpublic information and a mechanism for its disposal when no longer needed.
  • In 2019 and 2021 data security enforcement actions under FTC Act Section 5, the FTC now takes the position that over-retention of consumer PI is itself an unreasonable data security practice, and that a reasonable information security program includes data retention scheduling under which consumer PI is disposed of when no longer necessary.
  • State biometric data privacy statutes in Illinois, Texas, and Washington now require that biometric data subject to statutory protection must generally be disposed of after the collection purpose has been satisfied, and Illinois’ BIPA also requires that covered businesses must maintain and must comply with a publicly available, written data retention schedule for biometric data.
  • California’s CCPA, due to the consumers’ right to request deletion of personal information, incents covered businesses to manage consumer PI under a legally-validated retention schedule and to dispose of such PI under the retention schedule once the PI is no longer needed to comply with legal retention requirements and the business’s needs for the consumer transaction or contract.
  • Virginia’s Consumer Data Protection Act (CDPA), signed into law this week and effective January 1, 2023, will require covered businesses (“data controllers”) to limit their collection of personal data and to generally not retain personal data for purposes not reasonably necessary to, or compatible with, the disclosed purposes for which such personal data is processed, unless the consumer consents.
  • And under the California Consumer Privacy Rights Act (CPRA), effective January 1, 2023, covered businesses will be required to manage PI under data retention schedule rules disclosed through notice to consumers, including their employees, and to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use.

Virtually every one the above changes in data security and data privacy laws has happened in just the last few years, with similar legislation percolating in additional states’ legislatures across the country.  The trend is unmistakable, and the pace of change is quickening.  Managing data with retention scheduling and disposing of unnecessary data are becoming compliance requirements for data privacy and security.

What to do about this?

  • Clarify what constitutes protected information, based on your business’s geographic footprint and scope of operations.
  • Understand where protected information resides, both in your business’s data systems and through your relationships with service providers and contractors.
  • Update and legally validate your business’s data retention schedule, with particular attention to legally required retention periods for records and data sets containing protected information.
  • With that foundation in place, ensure that your business’s policies, contracts, privacy notices, training, and compliance systems ensure compliant practices for the safeguarding, timely disposal, and other processing of protected information.

But wait … aren’t these the same things that have always been good to do?  Of course.  Managing records and information (more broadly, Information Governance) has consistently been prudent, and increasingly so as our digital age has multiplied the volume and velocity of business data. Yet in the real world, what to do has never been as impactful as why to do it.  There needs to be an impetus to govern information, or at least to do it better, that drives actual change within the business.

In the 2000s, a powerful impetus for managing information retention and disposal was the rise of ediscovery, triggering concerns about (1) explosive litigation costs due to unnecessarily retained data and (2) the specter of spoliation sanctions if information is managed carelessly or poorly.  In the 2010s, a new impetus was the fear of data breaches, with their resulting reputational damage, business interruption, regulatory implications, and legal exposures, which are all multiplied by retaining unnecessary data.

For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA.  It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  The FTC’s targeted businesses for Section 5 data security enforcement have ranged from the large and well-known to the small and obscure.  But the common theme is that the business, according to the FTC, either deceptively or unfairly engaged in unreasonable and inadequate data security practices for consumers’ personal information (PI).

In several Section 5 enforcement proceedings before 2019 the FTC alleged that the combination of several inadequate data security practices “taken together,” and including retaining consumers’ PI beyond any business need, can collectively be an unfair trade practice under Section 5.  Such past FTC data security matters mentioning over-retention include enforcement actions against BJ’s Wholesale Club, Inc., DSW Inc., Life is good, Inc., Ceridian Corporation, and Cbr Systems, Inc.

But in its recent Section 5 enforcement actions against InfoTrax Systems and SkyMed International, the FTC has changed its approach, elevating over-retention to be a core data security failure.  In each of these cases, as it had in the past, the FTC alleged multiple data security lapses, including the failure to dispose of PI once “no longer necessary.”  Yet the language of these recent complaints no longer uses the “taken together” language of the earlier enforcement actions, allowing over-retention of PI to stand on its own as an unreasonable data security practice.  And the consent orders in these cases, unlike the FTC’s earlier enforcement matters, set forth the explicit, independent requirement that the respondents must have policies, procedures, and measures to delete PI once it is no longer necessary. Continue Reading Less data is more than ever: The FTC and the reasonable data security program

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data.  Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.

First, some brief context.  The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem.  The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements.  The NCUA adopted similarly specific safeguards for credit unions.  12 C.F.R. Part 748, App. A.    In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use.  And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.

The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes.  The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.

But this is beginning to change.  And as seen elsewhere in this series, states are leading the way: Continue Reading Less data is more than ever: state-level data security laws for the financial services sector

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains.  Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business.  Yet oddly, U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed.  And state laws requiring secure disposal of records containing PII have commonly focused on how such records must compliantly be disposed of, not when.  But recent changes in state-level security program and secure disposal statutes signal a change, with state laws now requiring businesses to dispose of PII when no longer required by retention laws or otherwise needed for business purposes.

State-level Secure Disposal Laws 

A majority of the states have statutes requiring businesses with PII of state residents to take reasonable measures to protect such information when it is disposed of or discarded.  Most such statutes were enacted in the 2000s and, similar to the federal Disposal Rule under FACTA, specify compliant means for securely disposing of protected information.  For examples, Nevada as of 2006 requires secure destruction or records containing customer personal information “when the business decides that it will no longer maintain the records,” and New York in 2006 mandated secure disposal of records containing PII, without any mention of when such records should be disposed of.   Nev. Rev. Stat. § 603A.200(1); N.Y. Gen. Bus. Law § 399-h(2).

But now, such state-level secure disposal statutes have begun to also speak to when such records must be disposed of, tied to legal retention requirements and business need: Continue Reading Less data is more than ever: state PII data security and disposal laws

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Today’s companion post explores how the California Consumer Privacy Act (CCPA), without statutory provisions explicitly requiring data minimization or storage limitation, nevertheless incents covered businesses to carefully manage retention and disposal of personal information (PI).  But less than two years from now, the script gets flipped, with California mandating both data minimization and storage limitation for businesses covered by the California Privacy Rights Act (CPRA).

The CPRA became law through a November 2020 ballot initiative.  Generally effective on January 1, 2023, the CPRA makes sweeping changes to the CCPA, including new provisions that directly require data retention management and data disposal.  Under the CPRA, covered businesses:

  • Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
  • Must not retain PI for longer than is reasonably necessary and proportionate for the disclosed purpose(s) of collection or processing.

Cal. Civ. Code § 1798.100(a)(3) & (c) (effective January 1, 2023).  Thus, for the first time under any U.S. federal or state comprehensive data privacy law, The CPRA will explicitly and directly require covered businesses (1) to manage the CPRA’s broad range of PI under data retention schedule rules disclosed through notice to consumers, and (2) to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use. Continue Reading Less data is more than ever: the CPRA and beyond

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

The California Consumer Privacy Act, effective January 1, 2020, was the United States’ first state-level comprehensive data privacy law.  And the CCPA blogging blitzkreig has not been merely hype – the CCPA presages a fundamental shift in U.S. privacy law.

The statute was a bit convoluted in its original form, almost as if the California legislature had hurriedly cobbled it together in a week’s time to avoid different provisions becoming law through a ballot initiative spearheaded by private activists, and which would have been essentially immune to subsequent direct amendment by the legislature (oops, that’s actually what happened).  Today’s CCPA is the also the product of a flurry of legislative clean-up amendments, supplemented by now-final California regulations (not that anything is ever quite final in California), and with a few targeted statutory amendments effective now due to last November’s adoption of the CPRA by ballot referendum.

Much thoughtful guidance is available elsewhere on the CCPA’s scope, applicability, and the various consumer rights it creates, including notice/transparency, access, deletion, and sale opt-out.  Our narrow focus here is on whether and how the CCPA affects the need of covered businesses (1) to manage PI with retention scheduling and (2) to dispose of PI once no longer necessary.

Continue Reading Less data is more than ever: the CCPA

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation.  The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on notice and consent and have avoided requiring businesses (1) to manage data under a retention schedule and (2) to dispose of personal data once no longer necessary for legal compliance or business need.

This began to change in state laws focused on a small niche of privacy – biometric data privacy.  Data security for biometric data is becoming a staple of state-level breach notification statutes (to date, in 17 states and the District of Columbia) and in some states’ laws that affirmatively require reasonable data security programs for protected personal information.  But state-level data privacy laws for biometric data have been more of an outlier.

Illinois’ Biometric Information Privacy Act (BIPA) became effective in 2008.  BIPA has been blogged about endlessly, largely because, after a bit of a sleepy start, its provisions allowing private-party class actions for statutory damages (thereby bypassing the standing impediment vexing many privacy and data security claimants) thrust BIPA to center stage in headline-grabbing litigation.

Our focus here is on a particular provision in BIPA: Continue Reading Less data is more than ever: state biometric data privacy laws