Defensible Data Disposal – ONCE A RISK MITIGATION STRATEGY, NOW A COMPLIANCE REQUIREMENT
Increased legislative focus on data privacy and security has made it necessary for businesses and their lawyers to review corporate record retention policies and data disposal practices to determine whether they comply with newly enacted state laws, and to update them accordingly. The penalties for noncompliance with the provisions in these laws that specify the method by which personal data must be disposed of and the time frame for such disposal, combined with the ongoing risk of data breaches, significantly increase the potential liabilities for companies that do not properly dispose of personal data when they are entitled, or required, do so.
THE EVOLVING APPROACH TO DATA RETENTION AND DISPOSAL
For years, data privacy and security lawyers have encouraged their clients to dispose of data that is not subject to litigation holds or regulatory obligations, and that has little, if any, business value, especially if that data contains personally identifiable information about customers, consumers, or other individuals. Defensible data disposal efforts were often met with resistance, in part due to the challenge of reaching consensus within an organization as to which data is sufficiently valuable to the company’s operations to be retained, and which data no longer has business value and can be destroyed. In addition, some companies were unable to devote the time and resources necessary to conduct this detailed and often complicated analysis, or did not consider it a high priority.
Corporate priorities began to shift when eDiscovery became a standard feature of litigation, and companies found themselves in the unenviable position of having to put litigation holds on data that they lawfully could have disposed of prior to being sued. Having missed this opportunity to delete data, and now finding themselves with lawsuits filed against them and litigation holds in place, companies were required to preserve, and often review and produce, data that was relevant to the claims and defenses in the new litigation. The costs associated with the review of that data, and the potential impact of that data in the new actions, caused many companies to reevaluate their approach to data retention and disposal. The risks associated with retaining data that was not subject to a litigation hold or a regulatory requirement, that had limited business value, and contained personally identifiable information became even more pronounced as data breaches became increasingly common, and led to class action litigation, regulatory investigations, and reputational damage.
In the wake of the GDPR, numerous U.S. state legislatures have proposed and/or passed laws that expand the scope of what was previously regarded as “personally identifiable information.” This trend makes it increasingly important for organizations to sharpen their focus on the personal data they retain, the duration of time they retain it, and how they dispose of it. Some of these laws mandate destruction of personally identifiable data within certain time frames, and impose penalties for failure to do so. As a result, lawyers must be able to help their clients implement, document, and audit their data disposal policies and practices, and ensure that they have defensible explanations for decisions to keep personally identifiable data that may, arguably, be subject to deletion requirements under these new, and relatively untested, laws.
NEW YORK STATE’S SHIELD ACT
In July 2019, New York State Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). The SHIELD Act’s “reasonable security requirement” provides that a person or business that owns or licenses computerized data that includes “private information” of a New York resident must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”1 To satisfy the reasonable security requirement, a person or business must implement a data security program, reasonable technical safeguards, and reasonable physical safeguards, as described in the statute. “Reasonable physical safeguards,” as defined in the SHIELD Act, include protecting private information against unauthorized access or use throughout the data lifecycle, including during the destruction or disposal of the information, and disposing of private information within a “reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”2
The SHIELD Act defines “private information” as either (1) a user name or email address combined with a password or security question and answer that would permit access to an online account, or (2) personally identifiable information about a natural person combined with one of five specified data elements, such as a social security number or biometric information, when either the data element, or the combination of the data element and the personal information, is not encrypted, or is encrypted with an encryption key that has also been improperly accessed or acquired.3
DATA DISPOSAL UNDER LOUISIANA LAW
Similarly, Louisiana’s Database Security Breach Notification Law requires a person or company that conducts business in that state, or that owns or licenses data that contains personal information, to take “all reasonable steps to destroy or arrange for the destruction of the records within its custody or control” that contain personal information that is “no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”4 The law defines “personal information” as the first name or initial, and the last name, of a resident of Louisiana, in combination with the individual’s social security number, driver’s license number, credit card information, passport number, or biometric data, when this information is kept in unredacted or unencrypted form.5
DISPOSAL REQUIREMENTS FOR BIOMETRIC DATA
Recognizing the sensitivity of biometric data, Illinois has a specific law that addresses the privacy and security of this type of personal information. The Biometric Information Privacy Act (BIPA) requires biometric information to be “permanently destroyed” when the initial purpose for which it was collected or obtained has been satisfied, or within three years of the individual’s last interaction with the entity that collected it, whichever occurs first.6 Under BIPA, “biometric information” encompasses any information – regardless of how it is captured, converted, stored or shared – that is based on an individual’s biometric identifier that is used to identify an individual.7 Examples of “biometric identifiers” include retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.8
Scheduled to become effective on January 1, 2020, the California Consumer Protection Act (CCPA), as currently drafted, gives consumers the right to request that a business “delete” personal information it has collected about them and direct service providers who are in possession of that personal information to delete it as well.9 For purposes of the CCPA, “personal information” means information that “identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include names, aliases, postal addresses, IP addresses, email addresses, social security numbers, driver’s license numbers, passport numbers, biometric information, geolocation data, Internet activity information, and employment-related information if that data “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”10
DISPOSAL OF GEOLOCATION DATA
Finally, the Utah “Electronic Information or Data Privacy Act,” which was signed into law in March 2019, requires law enforcement to obtain a warrant in order to access certain electronic data held by a third party, including geolocation information,11 with certain exceptions.12 The data disposal provision of the law make clear that law enforcement must destroy this data in an “unrecoverable manner” as soon as reasonably possible after the data is collected.13
Data disposal was once seen as optional – a business decision about whether the risks associated with keeping data of questionable business value justified the allocation of time and resources to review, evaluate, and possibly dispose of that data. With the passage of the SHIELD Act and similar laws, data disposal is now a legal requirement in many states. Companies that do business in multiple states (and countries) may find themselves having to comply with multiple laws that may specify different, and inconsistent, time frames and methods for data disposal. All this makes it increasingly important for companies and their lawyers to be prepared to demonstrate their compliance with these laws, and to be ready to defend their data privacy and security practices, including their decisions about which personally identifiable data to dispose of and which personally identifiable data to keep.
- Stop Hacks and Improve Electronic Data Security Act, S.5575-B, § 899-bb(2).↵
- Id.at Section 3(1)(a), (b).↵
- Database Security Breach Notification Law, R.S. 51:3074.↵
- Id., R.S. 51:3073(4)(a).↵
- 740 ILCS 14/15.↵
- 740 ILCS 14/10.↵
- Biometric data protection laws are also being considered in New York City and New Jersey. See New York City Council Int. No. 1170-2018; N.J. A.B. No. 4640 and N.J. S.B. No. 3153.↵
- Cal. Civ. Code, § 1798.05.↵
- Id. at 1798.140(o)(1).↵
- The New York City Council proposed a law prohibit telecommunications carriers and mobile applications from sharing users’ geolocation information. See New York City Council Int. No. 1632-2019.↵
- Electronic Information or Data Privacy Act, §23c-102(1)(a).↵
- Id. at subsection (d).↵