This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Today’s companion post explores how the California Consumer Privacy Act (CCPA), without statutory provisions explicitly requiring data minimization or storage limitation, nevertheless incents covered businesses to carefully manage retention and disposal of personal information (PI).  But less than two years from now, the script gets flipped, with California mandating both data minimization and storage limitation for businesses covered by the California Privacy Rights Act (CPRA).

The CPRA became law through a November 2020 ballot initiative.  Generally effective on January 1, 2023, the CPRA makes sweeping changes to the CCPA, including new provisions that directly require data retention management and data disposal.  Under the CPRA, covered businesses:

  • Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
  • Must not retain PI for longer than is reasonably necessary and proportionate for the disclosed purpose(s) of collection or processing.

Cal. Civ. Code § 1798.100(a)(3) & (c) (effective January 1, 2023).  Thus, for the first time under any U.S. federal or state comprehensive data privacy law, The CPRA will explicitly and directly require covered businesses (1) to manage the CPRA’s broad range of PI under data retention schedule rules disclosed through notice to consumers, and (2) to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use. Continue Reading Less data is more than ever: the CPRA and beyond

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

The California Consumer Privacy Act, effective January 1, 2020, was the United States’ first state-level comprehensive data privacy law.  And the CCPA blogging blitzkreig has not been merely hype – the CCPA presages a fundamental shift in U.S. privacy law.

The statute was a bit convoluted in its original form, almost as if the California legislature had hurriedly cobbled it together in a week’s time to avoid different provisions becoming law through a ballot initiative spearheaded by private activists, and which would have been essentially immune to subsequent direct amendment by the legislature (oops, that’s actually what happened).  Today’s CCPA is the also the product of a flurry of legislative clean-up amendments, supplemented by now-final California regulations (not that anything is ever quite final in California), and with a few targeted statutory amendments effective now due to last November’s adoption of the CPRA by ballot referendum.

Much thoughtful guidance is available elsewhere on the CCPA’s scope, applicability, and the various consumer rights it creates, including notice/transparency, access, deletion, and sale opt-out.  Our narrow focus here is on whether and how the CCPA affects the need of covered businesses (1) to manage PI with retention scheduling and (2) to dispose of PI once no longer necessary.

Continue Reading Less data is more than ever: the CCPA

Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation.  The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on notice and consent and have avoided requiring businesses (1) to manage data under a retention schedule and (2) to dispose of personal data once no longer necessary for legal compliance or business need.

This began to change in state laws focused on a small niche of privacy – biometric data privacy.  Data security for biometric data is becoming a staple of state-level breach notification statutes (to date, in 17 states and the District of Columbia) and in some states’ laws that affirmatively require reasonable data security programs for protected personal information.  But state-level data privacy laws for biometric data have been more of an outlier.

Illinois’ Biometric Information Privacy Act (BIPA) became effective in 2008.  BIPA has been blogged about endlessly, largely because, after a bit of a sleepy start, its provisions allowing private-party class actions for statutory damages (thereby bypassing the standing impediment vexing many privacy and data security claimants) thrust BIPA to center stage in headline-grabbing litigation.

Our focus here is on a particular provision in BIPA: Continue Reading Less data is more than ever: state biometric data privacy laws

Digital DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.  

Forgive me, but to fully appreciate the impact of state data privacy laws on managing records retention and disposing of unnecessary data, a bit of history is needed (if you’re allergic to history, skip this post).  Our focus is through the narrow lens of two key elements of data privacy regimes: data minimization (only collecting the minimum of personal data needed for the collection purposes) and storage limitation (only keeping personal data for as long as needed for these purposes).

United States data privacy law is a global outlier.  That’s ironic, given that the building blocks of modern data privacy law, the Fair Information Privacy Practices (FIPPs), were first expressed in a 1973 report by the U.S. Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens.  As originally framed, the FIPPs (Transparency, Access, Choice, Correction, and Quality/Protection) did not speak directly to data minimization or storage limitation.  At least at the outset, the FIPPs did not expressly call for minimizing collection of personal data or deleting personal data once its collection purpose was satisfied.

If data privacy were a religion, and the FIPPs its original Word, what came next was inevitable – inspiration spread globally and resulted in various denominations, each restating and taking the core beliefs in different directions, as influenced by cultural factors and, with data privacy law, governing philosophies: Continue Reading Less data is more than ever: for context, a ridiculously brief history of U.S. data privacy law

Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments).  Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.

Managing data volumes has always been prudent.  Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures.  Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola:  “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal.  With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data.  And U.S. privacy and data security laws have generally been silent on retention periods for protected information.  For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.

Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws.  I’ll dig deeper into these developments in upcoming posts, but here are the high points: Continue Reading For U.S. businesses, less data is more than ever

SARS-CoV-2 or 2019-ncov coronavirus

In 2019, the Global Health Index evaluated the epidemic preparedness and response capabilities of 195 countries and ranked the United States as number one.  Yet as of today, with nearly four million confirmed Covid cases and over 143 thousand deaths, the United States leads the world in a very different way.

We assessed the risks, both the likelihood and potential severity of a pandemic.  We did extensive planning for the structures, direction, and resources needed for preparedness.  And we repeatedly tested the plans, confirming strengths and identifying weaknesses.

What was missing?  Commitment.  And that’s worth exploring, not as a political blame-game, but as an object lesson for the nuances of how what appears to be carefully planned and solidly on track can go off the rails for lack of commitment, with disastrous results. Continue Reading Pandemic Lesson 4 for Information Governance – Commitment matters

SARS-CoV-2 or 2019-ncov coronavirusIn early 2018, outbreaks of a novel parainfluenza virus erupted in Frankfurt, Germany and Caracas, Venezuela.  United States soldiers serving abroad contracted the virus, and an exchange student returning to a small New England college campus triggered the initial cases in our country.  The virus spread by coughing and caused severe symptoms in about half of those infected, killing 20% of severely ill patients.  With no vaccination available, the novel virus spread rapidly across the globe.  Within a year, the virus – Clade X – killed 15 million Americans and 150 million people world-wide.

This actually happened two years ago … in a tabletop exercise hosted by Johns Hopkins Center for Health Security in Washington D.C.  Like its predecessors Dark Winter (2001) and Atlantic Storm (2005), the Clade X tabletop exercise featured subject matter experts in the unscripted roles of senior U.S. government officials reacting to a dense, unfolding fact pattern, based upon extensive scientific data and modelling, that realistically captured the likely variables and decision points in response to a national security crisis.  This time the crisis was a global pandemic, and Clade X revealed significant gaps in our pandemic response preparedness.

Clade X was not our most recent pandemic test event.  From January to August, 2019, the U.S. Department of Health and Human Services ran the Crimson Contagion planning exercise, with officials from a dozen states, various federal agencies, and non-governmental organizations working through response to a simulated viral pandemic originating in China.  Crimson Contagion’s findings were specific, blunt, and bleak, revealing widespread confusion between federal agencies and also between federal and state actors in coordinating response actions, such as in defining which workers were “essential,” handling school closures, and procuring sufficient personal protective equipment, ventilators, and medications.

Beyond “pre-mortem” exercises, post-mortem reviews identified our strengths and weaknesses in handling actual outbreaks, such as the July 11, 2016 NSC report capturing extensive lessons learned from our response to the 2015 Ebola outbreak.

The Lesson for Information Governance? Continue Reading Pandemic Lesson 3 for Information Governance: Testing the plan matters

SARS-CoV-2 or 2019-ncov coronavirusEisenhower famously quipped “plans are worthless, but planning is everything.”  His point was that though a plan may not anticipate every contingency, the rigors of the planning process are essential for preparedness.  That’s true for everything from WWII to pandemic response and to managing information risks and opportunities.

So, did the United States have a plan for pandemic response, and what were its key elements?

Yes indeed, the Bush administration developed plans and recommendations for U.S. infectious disease response, and these were built upon by the Obama administration.  Key elements included the following:

Continue Reading Pandemic Lesson 2 for Information Governance: Planning Matters

SARS-CoV-2 or 2019-ncov coronavirus“If anything kills over 10 million people in the next few decades, it’s most likely to be a highly infectious virus, rather than a war.  Not missiles, but microbes.”  That’s from Bill Gates’ 2015 TED Talk, in the midst of the Western African Ebola outbreak.  Gates added “W]e’re not ready for the next epidemic….  With Ebola, the problem was not that we had a system that didn’t work well enough.  The problem was that we didn’t have a system at all.”

Let’s fast-forward to a couple years ago, the 100th anniversary of the 1918 flu pandemic.  What should have been understood in 2018 as the risk, in the near-term, of an epidemic or pandemic with major impact in the United States?

Understanding risk is how we address uncertainty.  Whether you prefer the common definition of risk (the possibility of loss or injury) or the more technical concept under ISO 31000 or COSO’s ERM Integrated Framework (the effect of uncertainty on objectives), understanding risk requires us to evaluate the likelihood and severity of potential outcomes.  Understanding risk also requires us to evaluate our current readiness to mitigate or control the risk, in light of our risk tolerance.

So, in 2018, what did we know about the likelihood and potential severity in the United States of epidemics and pandemics, and what did we know about our readiness to respond? Continue Reading Pandemic Lesson 1 for Information Governance: Understanding risk matters

SARS-Cov-2 CoronavirusIt’s been a challenging 2020, as each of us adapts to our new pandemic reality.  In the United States as of today, Covid-19 has infected more than 2.4 million and taken the lives of over 124,000, with southern and western states surging ahead of the northeastern states as Covid hot-spots.  Meanwhile, in the wake of state and local stay-at-home orders,  United States unemployment has exploded, businesses (particularly small businesses) remain under stress, and the economy is in recession.

There’s a growing realization that the U.S. response to this pandemic could have been more timely, more organized, and more effective.  So, in the spirit of finding the pony in these strange, troubling times, it’s worthwhile to explore what lessons we can learn from our pandemic response, and how these lessons can be applied to how our organizations manage information.  Doing so reminds us of four fundamental insights about Information Governance.  I’ll be posting on each of these in more detail, but for now, here are the key points:

  • Understanding risk matters.  It’s a fact that novel viruses can proliferate, and it’s a certainty that data proliferates.  At any given moment the risks may seem remote, but the risks are nevertheless there, and the repercussions of simply ignoring those risks can be devastating.
  • Planning matters.  It takes time to assess risks, develop a plan, and put in place the rules, tools, and resources to manage those risks.  Like procrastinating until a virus becomes a pandemic, waiting until there’s a data breach, or a large-litigation preservation duty, or a business continuity or enterprise data system failure, is at best hugely and unnecessarily expensive, and at worst it can be disastrous.
  • Testing the plan matters.  The 2018 Clade X pandemic tabletop exercise, hosted by Johns Hopkins Center for Health Security in Washington D.C., identified significant gaps in our pandemic preparedness, and the U.S. government’s 2019 Crimson Contagion simulation of an influenza epidemic revealed massive holes in our response capabilities. Organizations that test their information governance capabilities with audits, reviews, and tabletop exercises will see how to improve their systems for retaining, securing, and compliantly disposing of information.  Data is not static, and dynamic risks require a dynamic governance response, so reviewing, exercising, and improving the program is essential.
  • Commitment matters.  Though hindsight is 20/20, it seems clear that the U.S. actually unwound and defunded many elements of our pandemic preparedness that were in place before 2020.  There were surely “competing priorities” in 2018 and 2019, but we are now paying a massive price for our lack of commitment to pandemic preparedness.  Similarly, there are always competing priorities for organizations, and it is tempting to lose focus on governing information, especially if all seems like smooth sailing in the moment.  But like pandemic preparedness, the point of managing information is to stay ahead of the curve, so that when data-related risks become today’s reality, the organization is prepared.

How we remember and apply these lessons can make the difference in the long-term success, if not the survival, of our organizations.  Because whether history repeats or merely rhymes, organizations that assess risk, plan, evaluate, and remain committed to Information Governance will do better than those that fail to do so.