|
|
|
|
|
|
Data Minimization to Avoid Over-Retention of Personal Information
|
|
|
|
Category:International Legal News
|
|
Subject:People and society ; Internet ; Information industry ; Companies and enterprises
|
|
|
|
Source:Reuters
|
|
Publish Date:03-29-2023
|
|
|
Organizations may face significant costs and penalties when they needlessly retain data, especially personal information, that has outlived its utility or business value. To avoid these risks, organizations must observe data minimization mandates and defensibly dispose of digital debris.
Data minimization and the routine, defensible disposition of data are essential to maintaining an organization's information hygiene. Some types of data are useful for only a short amount of time, while others, such as certain vital corporate records, may have a nearly infinite useful life. The likelihood that an organization will access aging data decreases exponentially over time, and the vast majority of data eventually reaches a point where it no longer has business value. The data eventually becomes digital debris, which industry experts commonly refer to as redundant, obsolete, or trivial data (ROT).
When organizations retain personal data and other types of digital records that have outlived their utility or business value, they subject themselves to considerable costs and expose themselves to substantial risks. Counsel should take stock of the volume of useless data that their organizational clients are needlessly storing and devise ways to dispose of it responsibly.
The High Costs of Retaining Digital Debris
Organizations often retain data by default regardless of its business value. Therefore, digital debris tends to accumulate indefinitely absent an organization's affirmative steps to the contrary.
Continued ownership of this debris is a significant and growing business expense at many organizations. Raw storage space may be cheap, but the total cost of owning enterprise data has increased due to the rising costs of related factors, such as security, labor, migration, and maintenance. Even if this trend reverses, the trajectory of growing data volumes is unlikely to subside. Indeed, the amount of enterprise data currently doubles every 24 months. Moreover, organizations must spend money to secure digital debris given the risk that the data may be subject to a data breach. (For more on the costs of data over-retention, see Act Now or Pay Later: The Case for Defensible Disposition of Data on Practical Law.)
In addition to the costs associated with storing and securing data, organizations are exposed to criminal, civil, and regulatory penalties when they unnecessarily retain sensitive data such as personally identifiable information, protected health information, payment card industry data, and other consumer, employee, and business information. Until recently, most legislative and regulatory activity focused on the relatively established requirements for records that organizations must keep, such as for tax purposes. However, regulators are now also focusing on the quickly evolving requirements on:
The types of data that organizations may obtain and keep.
How long organizations may keep different types of data.
The various ways organizations must protect data.
Therefore, the needless retention of data can perpetuate latent liabilities that grow more serious with time.
Data Minimization Mandates
Defensible disposition and data minimization norms are becoming increasingly necessary for many organizations, especially in connection with personal and sensitive data. In the past several years, jurisdictions within and outside the US have adopted data privacy and cybersecurity regulations and requirements mandating data minimization for consumers' personal information. While the specific laws vary among jurisdictions, they commonly boil down to two basic concepts, namely that organizations must not:
Collect more personal data than necessary to fulfill some legitimate purpose.
Keep what they have collected any longer than necessary to serve that purpose.
Organizations that stray from these data minimization dictates do so at their peril. As a result, many organizations now view the defensible disposition of ROT, particularly personal data, with renewed interest and a sense of urgency.
General Data Protection Regulation (GDPR)
As with many aspects of privacy regulation, the European Union's (EU's) GDPR led the way in data minimization (for more information, see Overview of EU General Data Protection Regulation on Practical Law). Article 5 of the GDPR lists six principles on how to process personal data, two of which directly address minimization of personal data. In particular, personal data must be:
Limited to what is necessary for the purpose of processing the personal data.
Retained in a way that allows identification of the data subjects for no longer than is necessary to process the personal data. (GDPR Article 5(1)(c), (e).)
Recital 39 of the GDPR reiterates that data minimization is of the utmost importance. It specifically highlights that Article 5 requires jurisdictions to limit personal data storage to a strict minimum.
The GDPR's broad reach means that US-based organizations handling European residents' personal data must comply with these mandates or risk significant fines and penalties. Several US jurisdictions have also adopted privacy-related regulations that largely follow the EU's lead on data minimization as set out in the GDPR (for a collection of resources on advising US-based clients on the GDPR, see GDPR Resources for US Practitioners Toolkit on Practical Law.)
US Laws
Counsel for US organizations should be aware of the domestic data minimization requirements under both federal and state law (for more on state laws that require entities to dispose of personal information, see State Data Disposal Laws Chart: Overview on Practical Law).
California Privacy Rights Act of 2020 (CPRA)
Effective January 1, 2023, the CPRA (Cal. Civ. Code §§ 1798.100-1798.199.100) amends and supplements the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §§ 1798.100-1798.199.95; Cal. Code Regs. tit. 11, §§ 7000-7102) (for a collection of resources to help counsel understand and comply with the CPRA and CCPA, see California Privacy Toolkit (CCPA and CPRA) on Practical Law). The CPRA applies to for-profit businesses that collect personal information from California resident consumers and either:
Have more than $25 million in gross annual revenue.
Annually buy, receive, sell, or share alone or in combination the personal information of 100,000 or more people or households for commercial purposes.
Derive 50% or more of their annual revenue from selling or sharing personal information. (Cal. Civ. Code § 1798.140.)
The CPRA contains the first explicit data minimization requirement of any US privacy law. Specifically, the CPRA:
Requires that an organization disclose to consumers what personal data it collects, for what purpose it collects the data, and how long the organization keeps the data.
Prohibits an organization from:
collecting additional categories of personal information that it did not disclose;
using the information it collects beyond its disclosed purpose; and
retaining consumers' personal information for longer than reasonably necessary beyond its disclosed purpose. (Cal. Civ. Code § 1798.100(a).)
Mandates that collecting, using, retaining, or sharing personal information must be “reasonably necessary and proportionate” to achieve the business purpose for which the organization collected or processed the information (Cal. Civ. Code § 1798.100(c)).
New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
New York's SHIELD Act applies to companies that own or license New York residents' private information. The SHIELD Act requires companies to apply and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including its disposal (N.Y. Gen. Bus. Law § 899-bb(2)).
For example, companies can comply with the SHIELD Act by implementing a data security program with certain defined features, including disposing of private information within a reasonable time after the company no longer needs it for business purposes (N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4); for more on the SHIELD Act, see New York Amends Data Breach Notification, Information Security, and Identity Theft Prevention Obligations on Practical Law.)
Illinois Biometric Information Privacy Act (BIPA)
The Illinois Biometric Information Privacy Act (BIPA) (740 Ill. Comp. Stat. §§ 14/1 to 14/99) applies to private entities that possess biometric information or identifiers, such as facial geometry, iris scans, voice prints, and fingerprints. BIPA requires these entities to develop a written, publicly available policy that prescribes:
A retention schedule for biometric identifiers and information.
Guidelines for permanently destroying biometric identifiers and information at the earlier of:
when the entity satisfies its initial purpose for collecting the identifiers and information; or
within three years of the last interaction between the individual and entity.
As a parade of class action lawsuits has recently shown, an organization's failure to comply with BIPA's mandates can result in steep statutory penalties and fees (see, for example, In re Facebook Biometric Info. Privacy Litig., 326 F.R.D. 535, 548-49 (N.D. Cal. 2018); for more information, see BIPA Compliance and Litigation Overview on Practical Law).
Federal Trade Commission Act (FTC Act) and Safeguards Rule
The FTC Act (15 U.S.C. §§ 41-58) applies to “all persons engaged in commerce.” It prohibits engaging in “unfair methods of competition” and “unfair or deceptive acts or practices in or affecting commerce” (15 U.S.C. § 45(a)(1)). Although the FTC Act may not sound like a data minimization mandate, the Federal Trade Commission (FTC) has considered unreasonable data security practices to qualify as unfair or deceptive practices, including collecting consumer data and retaining it longer than a legitimate business purpose justifies (see Penalties for Over-Retention of Personal Data below).
Additionally, effective December 1, 2022, the FTC updated its Safeguards Rule, which applies to financial institutions. The update requires financial institutions to implement procedures to securely dispose of customer information within two years of last using that information. However, financial institutions may keep the information longer for a legitimate business or legal purpose. (16 C.F.R. § 314.4(c)(6)(i); for more information, see FTC Amends Safeguards Rule to Strengthen Data Security Obligations on Practical Law.)
Other Consumer Privacy Laws
Colorado, Connecticut, Utah, and Virginia have adopted comprehensive consumer privacy legislations that become effective in 2023. Each state's legislation applies to different types of entities and promotes data minimization. A covered organization must collect only adequate and relevant personal data, limited to what it reasonably needs in relation to the specific purpose for which it processes the data.
(For more on the consumer privacy legislation in these states, see Colorado Attorney General Releases Guidance on Data Security Practices and the Colorado Privacy Act, Connecticut Enacts Consumer Privacy Act, Utah Enacts Consumer Privacy Act, Virginia Amends Virginia Consumer Data Protection Act, and Quick Comparison Chart (CPRA and VCDPA) on Practical Law; for information on Virginia's regulations compared to the EU's regulations, see Quick Comparison Chart (GDPR and VCDPA) on Practical Law.)
Defensible Disposition
To defensibly dispose of data and comply with legal and regulatory obligations, organizations should consider how their defensible disposition strategy fits within their overall information governance policies and programs, as well as the legal standard courts apply when evaluating data disposition decisions
Information Governance
The primary purpose of an information governance program is to manage the organization's information in ways that meet the organization's legal and regulatory obligations. The US Supreme Court has recognized that information governance is fundamentally a business function, observing that ordinarily “it is not wrongful for a manager to instruct his employees to comply with a valid document retention policy, even though the policy, in part, is created to keep certain information from others, including the Government” (Arthur Andersen LLP v. United States, 544 U.S. 696, 696 (2005)).
Many other courts have likewise recognized that records retention policies serve important and legitimate business purposes (see, for example, Barnett v. Deere & Co., 2016 WL 4544052, at *4 (S.D. Miss. Aug. 31, 2016) (noting that the court does not “draw an inference of bad faith when documents are destroyed under a routine policy”) (quoting Russell v. Univ. of Tex., 234 F. App'x 195, 208 (5th Cir. 2007)); Spanish Peaks Lodge, LLC v. Keybank Nat'l Ass'n, 2012 WL 895465, at *1 n.3 (W.D. Pa. Mar. 15, 2012) (denying a motion for spoliation sanctions based on evidence destroyed under a document retention policy, because credible testimony established that “the document retention policy was implemented for legitimate business purposes unconnected with the current litigation”); for information on the key considerations for drafting a document retention policy, see Drafting a Document Retention Policy on Practical Law).
An information governance program should contribute to the business's efficiency, productivity, and overall value (for a collection of resources that provide practical guidance on establishing and managing US privacy compliance and information governance programs, see Privacy Compliance and Policies Toolkit on Practical Law). Digital debris impedes these objectives in many ways, such as by making it difficult for:
Users to find the information they need when they need it.
The organization to identify and extract needed information from a subset of valuable information.
Compliance groups to mitigate risks related to the organization's prolonged retention of certain records.
The crux of most business decisions is the anticipated return on investment. In other words, businesses balance expected value against expected costs or risks to determine whether a task is sufficiently net positive to warrant proceeding. Decisions on retention and disposition of information are no different. When deciding whether to retain data, the primary question to ask is whether the business can or actually does extract value from it. However, counsel should also keep in mind that while information can provide value and mitigate risk, it can also needlessly subject an organization to costs and risks where the organization engages in improper retention or disposal practices.
Reasonable Retention
Counsel should pragmatically approach decisions involving data retention and disposition. The yardstick by which a regulator measures an organization's conduct is reasonableness. Under that standard, the regulator considers what a typical organization acting with regular prudence does under similar circumstances. The hallmarks of reasonableness include processes that are sensible, consistent, programmatic, and well-documented. A regulator does not expect or require perfection because it is impossible.
An organization's proposed initiatives to dispose of large volumes of ROT may be paralyzed due to concerns that the data may contain documents relevant to a future legal or regulatory proceeding. However, even if that is the case, the regulator's question is not whether the organization applied a retention and disposition framework to keep every relevant bit or byte of relevant data, but rather whether the organization's processes were reasonable under the circumstances.
Reasonable retention is not an all-or-nothing proposition. The fact that it is neither practical nor possible for an organization to identify and purge all ROT does not mean that the organization cannot make significant gains using tactical initiatives targeting particular data stores. For example, an organization can achieve significant reductions in hard and soft costs simply by:
Adopting a framework for classifying information it creates and receives, such as bifurcating information.
Remediating the organization's most readily identifiable and addressable ROT.
Assigning conservative retention periods to the remainder of the organization's existing data so that the less readily identifiable ROT is remediated over time.
Most organizations find it useful to bifurcate their information universe into:
Already existing information.
Newly created or newly received information.
Even an organization that cannot address ROT in its existing information stores can make significant progress toward reasonable retention by developing and implementing a sound framework for the classification, retention, and disposition of information that it creates or acquires on a going forward basis.
Bifurcating information and implementing the necessary policies, procedures, and technologies to retain and dispose of information helps the organization set a course that:
Allows unclassified legacy information to age out.
Manages current, properly classified information according to:
the organization's business needs; and
legal and regulatory obligations.
Penalties for Over-Retention of Personal Data
Due to various legislative and regulatory mandates, organizations risk enforcement actions and hefty penalties when they fail to practice proper data hygiene, collect too much consumer data, or over-retain personal data. Regulators have demonstrated a heightened willingness to enforce data minimization mandates. The following actions in 2022 illustrate this trend:
In January, the New York Attorney General reached a settlement with vision benefits provider EyeMed following an investigation into a data security incident. The action concerned a 2020 data breach where hackers accessed an EyeMed email account and exposed the personal information of more than two million consumers. The email account contained patients' sensitive personal and health information from a six-year period. The Attorney General relied on the SHIELD Act's data minimization mandate to allege that it was unreasonable for EyeMed to retain personal information in an email account for up to six years instead of copying the information to a more secure location or deleting older messages. The settlement required EyeMed to take on onerous prospective obligations (for example, maintaining a penetration testing program and offering certain customers free daily credit monitoring for two years) and pay a $600,000 penalty. (Assurance of Discontinuance, , Assurance No. 21-071 (Jan. 18, 2022).)
In February, the FTC brought a complaint in a California district court against two companies related to the company formerly known as Weight Watchers (Kurbo Inc. and WW International, Inc.). The companies collected personal information from consumers, including minors, through their mobile application providing weight management services. The FTC alleged violations of the Children's Online Privacy Protection Act (COPPA) based on the companies' failure to obtain parental consent when they gathered the minors' personal information. The FTC also alleged an unfair trade practice under the FTC Act and COPPA, due to the companies' over-retention of the minors' personal data for an indefinite period. The settlement required the companies to delete the minors' personal information and pay a $1.5 million penalty. (FTC, Press Release, FTC Takes Action Against Company Formerly Known as Weight Watchers for Illegally Collecting Kids' Sensitive Health Data (Mar. 4, 2022); for more information, see FTC Announces Settlement with WW International and Kurbo for COPPA Violations on Practical Law.)
In June, the FTC finalized an order in its enforcement action against CafePress, an online custom merchandise platform, related to a data breach. The FTC alleged that CafePress put personal information at unnecessary risk when it indefinitely stored the information without a business need, among other deficient data security practices, made false and misleading assurances about data security in light of the platform's indefinite data retention, and failed to minimize data, thereby committing an unfair or deceptive practice under the FTC Act. The settlement required CafePress to adopt stronger data security measures and pay a $500,000 penalty. (FTC, Press Release, FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security (June 24, 2022).)
This trend is likely to continue and pick up steam. For example, Section 101 of the discussion draft of the proposed American Data Privacy and Protection Act (H.R. 8152), which would have established a federal data security and privacy framework, sought to impose an express duty of data minimization for certain organizations. As proposed, the bill mandated that organizations must collect, process, or transfer only data that is reasonably necessary, proportionate, and limited to a consumer's requested service or a permitted purpose under the Act. (For more on federal privacy-related bills, see Federal Privacy-Related Legislation Tracker on Practical Law.)
Data Hygiene Best Practices
Data minimization is no longer an aspirational feature of an organization's approach to privacy. Similarly, data security is not something an organization addresses only to reduce exposure from a potential data breach. Data minimization and security have become independent obligations that organizations ignore at their own peril. Now, more than ever, it is critical for organizations to carefully evaluate the records they retain and for what purpose. They should develop and document processes to ensure that data, especially personal and sensitive data, is disposed of once it no longer serves a business need.
To achieve a healthy information lifestyle, organizations should:
Assess the maturity of their overall information governance systems and programs.
Revisit and re-evaluate their records retention policies and procedures.
Update data maps that describe what data resides where within an organization and how data flows within and among its various internal and external information systems.
It is also critical that changing practices affecting the retention of personal data are not misaligned with written policies and procedures. The only thing worse than not having a robust information governance program is having a set of policies and procedures that the organization does not follow due to confusion or inconsistency. (For a collection of resources on managing an organization's records and retention requirements, see Records Management Toolkit and Global Records Retention Toolkit on Practical Law.)
Two key components of a streamlined information profile are to:
Mindfully tackle data lakes (meaning, centralized repositories for data storage at scale) and offsite records storage facilities.
Develop strategies for the defensible disposition of ROT. This process involves:
creating a catalogue of the various types of data and records that the organization is storing and deriving from that a list of what it is unnecessarily storing;
establishing a system for defensibly disposing of data that the organization no longer reasonably needs;
implementing a process for reducing the amount of digital debris unnecessarily retained in the future and periodically updating that process; and
regularly reviewing federal and state-specific regulations for changes to disclosure and collection requirements (among others) that affect how organizations retain personal information.
The recent legal and regulatory pressures should act as a powerful catalyst for change and provide the motivation necessary to overcome the decision paralysis that organizations often face when challenged to mindfully pursue defensible disposition.
|
|
|
