In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements:
Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments). Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.
Managing data volumes has always been prudent. Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures. Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola: “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”
But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal. With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data. And U.S. privacy and data security laws have generally been silent on retention periods for protected information. For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.
Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws. I’ll dig deeper into these developments in upcoming posts, but here are the high points:
Continue Reading For U.S. businesses, less data is more than ever
They say that the right time to plant a tree is yesterday. In a world of data dangers and opportunities, the time to elevate how your business governs its information is now. That’s easy to say, but with all of the conflicting priorities facing companies today, for many it’s hard to get started, or to
It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data. That’s nonsense. It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.
Even the courts themselves dispose of their data. Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.
Here are but a few of the many case decisions on this point:
Continue Reading Why govern our information? Reason #6: It’s OK to destroy business data. Really.
Dr. Stephen Covey reminded us that “important” is not the same thing as “urgent.” Records retention reminds us that important is not the same thing as exciting. I get it – records retention schedules are boring. But the fact remains that literally thousands of records retention requirements apply to your organization’s information. I know, because my firm finds and tracks these laws as part of our decades of retention schedule work for clients across industries. And your regulators expect you to know them too.
Records retention requirements generally apply to information’s content, regardless of the information’s medium – electronic data, paper, you name it. The requirements are scattered across the federal and 50 states’ statutory and regulatory codes, often with unusual retention mandates. Here are just a few:
Continue Reading Why govern our information? Reason #11: Thousands of federal and state records retention laws apply to your company
Last week’s post explored why law firms need data security policies. Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.
What does a records retention schedule have to do with data security? Simply this – keeping data without a legal or business reason exacerbates data security exposures.
Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose. This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.
It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.
But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right? Actually, far too few firms do.
Continue Reading Law firm data retention – they can’t hack what you no longer have
How time flies. Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc. Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com. Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.
Lots has changed since then. New technologies, expanded data sources and media types, and more raw data have flooded consumer and business marketplaces alike. We’ve all seen the scary statistics on increasing information volumes and the security risks that follow. Unfortunately, our controls for the creation, management, retention, and disposition of those data have not kept pace. Yet how we manage our data on a day-to-day basis goes also to the heart of how we protect our data and ensure that our information assets are secure from theft or compromise.
During my years at CFI and since, I’ve found myself pondering “what if?” questions. What if we only had to protect 20% of our information? What if clients could take dollars earmarked for e-discovery and increased storage and spend them instead on better systems and operational improvements? What if a client faced with the reality of a data breach didn’t have to wonder how many unnecessary skeletons were now visible? The promise of information governance is that we can answer these questions affirmatively. This is good news, and more importantly, news you can use.
Continue Reading Information governance – the foundation for information security
“Gar
bage in, garbage out” – we know that already, right? Well … what we know about information quality and what we do are not always in sync. Just for kicks, consider information quality through the lens of the industrial quality movement.
Looking down from 30,000 feet, the history of industrial quality goes something like this – Medieval Guild craftsmanship, then Industrial Revolution product inspection, and then the post-World War II focus on quality process management. It sounds arcane, until one remembers the 1980’s visceral fear that Japanese manufacturers were beating the pants off of U.S. manufacturing in terms of quality and value. Enter W. Edward Deming, who had been deeply influential in Japan’s post-war industrial recovery, and who became the evangelist for quality management practices in U.S. industry. Deming exhorted American management to adopt product and service quality as the driving force in all business practices.
What’s that got to do with Information Governance? It’s this – regardless of industry, in today’s world you’re actually in the information business. So, business quality increasingly means information quality.
Continue Reading Why govern your information? Reason #5: Bad information results in bad decisions.
OK, IT mavens, listen up…how much better would your life be if you only had to manage and protect 20% of your company’s data? By eliminating 80% of your data you could free up oodles of storage, reduce licensing costs, shorten backup cycles, and drastically cut e-discovery preservation costs, not to mention go home on time for a change. For most this is an unrealistic pipe dream, but it doesn’t need to be. The trick is knowing which 20% to manage.
Continue Reading The 20% solution for information management and security
It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data. That’s nonsense. It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.
Even the courts themselves dispose of their data. Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.
Here are but a few of the many case decisions on this point:
Continue Reading Why govern your information? Reason #6: It’s OK to destroy your data.