Published in Practical Law Litigation and Practical Law The Journal
By Martin T. Tully and Nick B. Snavely
An Article explaining the risks and costs of an organization needlessly retaining personally identifiable information and digital records that have outlived their utility or business value and are digital debris. This Article identifies data minimization mandates, describes the risks organizations face when overretaining personal or useless data, and explains how they may defensibly dispose of it.
Retaining personal data and other types of digital records that have outlived their utility or business value can present significant costs and risks to an organization. Counsel should take stock of the volume of useless data their organizational clients are needlessly storing and devise ways to dispose of it responsibly.
In particular, counsel should:
- Create a list of the various types of data and records the organization is storing, and derive from that a list of what it is unnecessarily storing.
- Establish a system for defensibly disposing of data the organization no longer reasonably needs.
- Implement a process for reducing the amount of digital debris unnecessarily retained in the future and periodically updating that process.
- Regularly review federal and state-specific regulations for changes to disclosure and collection requirements (among others) that affect how companies retain personal information.
The High Cost of Retaining Digital Debris
Data minimization and the routine, defensible disposition of data are essential to maintaining an organization's information hygiene. Some types of data are useful for only a short amount of time, while others, such as certain vital corporate records, may have a nearly infinite useful life. But the vast majority of data reaches a point after some time where it no longer has business value. When an organization retains data beyond its useful life, the primary question to ask when deciding whether to retain it is whether the business can extract value from it. The related question is whether the business will extract value from it. The likelihood that an organization will access aging data decreases exponentially over time. The data eventually becomes digital debris, which industry experts commonly refer to as data that is redundant, obsolete, or trivial (ROT).
Companies often retain data by default regardless of its business value. Therefore, digital debris tends to accumulate indefinitely absent a company's affirmative steps to the contrary. Continued ownership of this debris is a significant and growing business expense at many organizations. Raw storage space may be cheap, but the total cost of owning enterprise data has increased due to the rising costs of security, labor, migration, maintenance, and other factors. Even if the trend reverses, the trajectory of growing data volumes is unlikely to subside. Indeed, the amount of enterprise data currently doubles every 24 months.
For more information about the cost of over-retention, see Article, Act Now or Pay Later: The Case for Defensible Disposition of Data: The High Costs of Data Over-Retention.
Regulatory Restrictions
The situation is worse than organizations needlessly spending money to retain digital debris. Specifically, organizations spend money on securing digital debris because they recognize that this data may be subject to a data breach. But the unnecessary retention of personally identifiable information, protected health information, payment card industry data, and a host of other consumer, employee, and business information exposes organizations to criminal, civil, and regulatory penalties. Until recently, most legislative and regulatory activity focused on the relatively established requirements of the records that organizations must keep, such as for tax purposes. However, regulators now also focus on the quickly evolving requirements of:
- The types of data that organizations may obtain and keep.
- How long organizations may keep different types of data.
- The various ways organizations must protect this data.
Consequently, organizations not only spend money to store data that lacks value, but also to perpetuate latent liabilities that grow more serious with time.
The legislative and regulatory environment has shifted in the past few years. Spearheaded by new data privacy and cybersecurity mandates, organizations are increasingly restricted to:
- Collecting only the personal data they absolutely need.
- Using data only for the explicit purposes for which they collected it.
- Disposing of personal data appropriately as soon as they no longer reasonably need it.
Organizations that stray from these data minimization dictates do so at their peril. As a result, many organizations now view the defensible disposition of ROT, particularly personal data, with renewed interest and a sense of urgency.
The Rise of Defensible Disposition
Information governance is fundamentally a business function. The Supreme Court recognized that information governance is a business function when it observed that ordinarily, "it is not wrongful for a manager to instruct his employees to comply with a valid document retention policy, even though the policy, in part, is created to keep certain information from others, including the Government" (Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005)). Many other courts have likewise recognized that record retention policies serve important and legitimate business purposes (see, for example, Spanish Peaks Lodge, LLC v. Keybank Nat. Ass'n, 2012 WL 895465, at *1 n.3 (W.D. Pa. Mar. 15, 2012) (denying motion for spoliation sanctions based on evidence destroyed pursuant to a document retention policy, because credible testimony established that “the document retention policy was implemented for legitimate business purposes unconnected with the current litigation”) and Barnett v. Deere & Co.,2016 WL 4544052, at *4 (S.D. Miss. Aug. 31, 2016) (noting that “[t]he court does ‘not draw an inference of bad faith when documents are destroyed under a routine policy’”) (quoting Russell v. Univ. of Tex.,234 Fed. Appx. 195, 208 (5th Cir. 2007)).
The primary purpose of an information governance program is to manage the organization's information in ways that meet the organization's legal and regulatory obligations. Simultaneously, the information governance program should contribute to the business's efficiency, productivity, and overall value. Digital debris impedes these efforts in many ways, such as by making it difficult for:
- Users to find the information they need when they need it.
- The organization to identify and extract benefit from a subset of valuable information.
- Compliance groups to mitigate risks related to the organization's prolonged retention of certain records.
The crux of most business decisions is the anticipated return on investment. This is, in other words, balancing expected value against expected cost or risk to determine whether a task is sufficiently net positive to warrant proceeding. Decisions on retention and disposition of information are no different. Information has value, incurs cost, and can create or mitigate risk.
Reasonable Retention
Counsel should approach decisions involving data retention and disposition sensibly. The yardstick by which a regulator measures an organization's conduct is reasonableness. It considers what a typical organization acting with regular prudence would have done under similar circumstances. A regulator does not expect or require perfection because it is impossible. An organization's proposed initiatives to dispose of large volumes of ROT may otherwise be paralyzed due to concerns it may contain documents relevant to a future legal or regulatory proceedings.
Regardless of whether the organization would identify such documents in connection with a future proceeding, the regulator's question is not whether the organization applied a retention and disposition framework to keep every relevant bit or byte of relevant data. Instead, it examines whether the organization's processes were reasonable under the circumstances. The hallmarks of reasonableness include processes that are sensible, consistent, programmatic, and well-documented.
Reasonable retention is not an all-or-nothing proposition. The fact that it is neither practical nor possible for an organization to identify and purge all ROT does not mean that it cannot make significant gains using tactical initiatives targeting particular data stores. For example, an organization can achieve significant reductions in hard and soft costs simply by:
- Adopting a framework for classifying information it creates and receives (see Bifurcate Information).
- Remediating the organization's most readily identifiable and addressable ROT.
- Assigning conservative retention periods to the remainder of the organization's existing data so that it remediates the less readily identifiable ROT over time.
Bifurcate Information
Most organizations find it useful to bifurcate their information universe into already-existing information and newly created or received information. Even an organization that is unable to address the ROT in its existing information stores can make significant progress toward reasonable retention by developing and implementing a sound framework for the classification, retention, and disposition of information that it creates or acquires.
Bifurcating information and implementing the necessary policies, procedures, and technologies for the organization to retain and dispose of information helps it set a course that:
- Allows unclassified legacy information to age out.
- Manages current, properly classified information according to:
- the organization's business needs; and
- legal and regulatory obligations.
The Advent of Data Minimization Mandates
Defensible disposition and data minimization norms are becoming increasingly necessary for many organizations, especially for personal and sensitive data. In the past several years, jurisdictions within and outside the United States have adopted regulations and requirements mandating data minimization related to privacy and consumers' personal information. While the details vary among jurisdictions, several have adopted mandates that boil down to the two basic concepts that companies must not:
- Collect more personal data than necessary to fulfill some legitimate purpose.
- Keep what they have collected any longer than necessary to serve that purpose.
General Data Protection Regulation (GDPR)
As with many aspects of privacy regulation, the European Union's General Data Protection Regulation (GDPR) led the way in data minimization. Article 5 of the GDPR lists six principles on how to process personal data, two of which directly address data minimization. Article 5 also requires for personal data to be:
- Limited to what is necessary for the purpose of processing the personal data.
- Retained in a way that allows data subject identification for only as long as necessary for the purpose of processing the personal data.
(GDPR Article 5(1)(c), (e).)
Recital 39 reiterates that data minimization is of utmost importance. It specifics that Article 5 requires jurisdictions to limit personal storage data to a strict minimum.
The GDPR's broad reach means US-based companies handling European residents' personal data must comply with these mandates or risk significant fines and penalties. In addition, several US jurisdictions have adopted privacy-related regulations that largely follow the EU's lead on data minimization following the GDPR.
US Laws
Counsel for US companies should be aware of the domestic data minimization requirements in California, Colorado, Connecticut, Illinois, New York, Virginia, and Utah and under the Federal Trade Commission Act (15 U.S.C. §§ 41-58) (FTC Act).
California Privacy Rights Act
Effective January 1, 2023, the California Privacy Rights Act of 2020 (CPRA) amends and supplements the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §§ 1798.100 to 1798.199.95; Cal. Code Regs. tit. 11, §§ 7000 to 7102). It applies to for-profit businesses with over $25 million in annual revenue or that conduct major business buying or selling consumers' personal information if they handle California consumers' personal data.
The CPRA contains the first explicit data minimization requirement of any US privacy law. Specifically, the CPRA:
- Requires that a company disclose to consumers what personal data it collects, for what purpose, and for how long the company keeps the data.
- Prohibits a company from:
- collecting additional categories of personal information;
- using the information it collects beyond its disclosed purpose; and
- retaining a consumer's personal or sensitive personal information for longer than reasonably necessary beyond the disclosed collection purpose.
(Cal. Civ. Code Section 1798.100(a)(1)-(3).)
- Mandates that collecting, using, retaining, or sharing personal information must be "reasonably necessary and proportionate" to achieve the business purpose for which the company collected or processed the information (Cal. Civ. Code Section 1798.100(c)).
New York Stop Hacks and Improve Electronic and Security (SHIELD) Act
The New York Stop Hacks and Improve Electronic and Security (SHIELD) Act applies to companies that own or license New York residents' private information. The SHIELD Act requires companies to apply and maintain reasonable safeguards to protect the private information's security, confidentiality, and integrity, including its data disposal (N.Y. Gen. Bus. Law § 899-bb(2)).
For example, companies can comply with the SHIELD Act by implementing a data security program with certain defined features, including disposing of private information within a reasonable time after the company no longer needs it for business purposes (N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4)).
Illinois Biometric Information Privacy Act (BIPA)
The Illinois Biometric Information Privacy Act (BIPA) (740 Ill. Comp. Stat. 14/ to 14/99) relates to biometric information and identifiers, such as facial geometry, iris scans, voice prints, and fingerprints. BIPA applies to private entities that possess biometric identifiers or information. It requires these entities to develop a written, publicly available policy that sets:
- A retention schedule for biometric identifiers or information.
- Guidelines for permanently destroying an individual's identifiers or information at the earlier of:
- after the entity satisfies its initial purpose for collecting the identifiers or information; or
- within three years of the last interaction between the individual and the entity.
As a parade of class action lawsuits have recently shown, an organization's failure to comply with BIPA's mandates can result in steep statutory penalties and fee awards (see, for example, In re Facebook Biometric Info. Privacy Litig. 3:15-cv-03747-JD (N.D. Cal.) (2018).
Federal Trade Commission Act
The FTC Act applies to "all persons engaged in commerce." It prohibits engaging in "unfair methods of competition" and "unfair or deceptive acts or practices in or affecting commerce." (15 U.S.C. § 45(a)(1).). Although the FTC Act may not sound like a data minimization mandate, the FTC has considered unreasonable data security practices to qualify as an unfair or deceptive practice, including collecting consumer data and retaining it longer than a legitimate business purpose justifies.
In addition, the FTC updated its Safeguards Rule that applies to financial institutions. The update is effective on December 1, 2022 and generally requires financial institutions to implement procedures to securely dispose of customer information within two years of it last using that information. However, financial institutions may keep the information longer for a legitimate business or legal purpose. (16 C.F.R. § 314.4(c)(6)(i).)
Other Consumer Privacy Laws
Colorado, Connecticut, Utah, and Virginia have adopted comprehensive consumer privacy legislation that will become effective in 2023. Each state's legislation similarly applies to different types of entities and promotes data minimization. A covered organization must collect only adequate and relevant personal data limited to what it reasonably needs in relation to the specific purpose for which it processes the data.
Penalties for Over-Retention of Personal Data Are Increasingly Prevalent
Due to various legislative and regulatory mandates, organizations that fail to practice proper data hygiene, collect too much consumer data, or over-retain this data risk drawing enforcement actions and potentially hefty penalties. Regulators have demonstrated a heightened willingness to enforce these data minimization mandates. Three developments in 2022 that illustrate the trend include the following:
- In January, the New York Attorney General reached a settlement with vision benefits provider EyeMed following an investigation into a data security incident. The action concerned a 2020 data breach where hackers accessed an EyeMed email account and exposed the personal information of over two million consumers. The email account contained content from a six-year period that contained patients' sensitive personal and health information. The Attorney General relied on the SHIELD Act's data minimization mandate to allege it was unreasonable for EyeMed to retain personal information in an email account for up to six years instead of copying it to a more secure location or deleting older messages. The settlement required EyeMed to take on onerous prospective obligations (for example, maintaining a penetration testing program and offering certain customers free daily credit monitoring for two years) and pay a $600,000 penalty.
- In February, the FTC brought a complaint in California federal district court against two companies related to the company formerly known as Weight Watchers (Kurbo Inc. and WW International). The companies collected personal information from consumers, including minors, using their application (app) for weight management services. The FTC alleged violations of the Children's Online Privacy Protection Act (COPPA) based on the companies' failure to obtain parental consent when they gathered the minors' personal information. The FTC also labeled the companies' over-retention of the minors' personal data for an indefinite period or up to three years as an unfair trade practice under the FTC Act and COPPA. The settlement required the companies to delete the minors' personal information and pay a $1.5 million penalty. (See FTC Takes Action Against Company Formerly Known as Weight Watchers for Illegally Collecting Kids' Sensitive Health Data (F.T.C. News Release, March 4, 2022).)
- In June, the FTC finalized an order in its enforcement action against CafePress, an online custom merchandise platform, related to a data breach. Among other data security practices the FTC alleged were deficient, the agency claimed that CafePress put personal information at unnecessary risk because it indefinitely stored the information in the absence of a business need. The FTC considered the platform's indefinite data retention to render its assurances about data security to be false and misleading. It also identified the platform's failure to minimize data as an unfair or deceptive practice under the FTC Act. The settlement required CafePress to adopt stronger data security measures and pay a $500,000 penalty. (See FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security (F.T.C. News Release, June 24, 2022)).
This trend is almost certain to continue and will likely pick up steam. While Congress continues to debate the federal American Data Privacy and Protection Act (H.R. 8152), section 101 of the discussion draft imposes an express duty of data minimization for certain organizations. It mandates that they must collect, process, or transfer only data that is reasonable necessary, proportionate, and limited to a consumer's requested service or a permitted purpose under the Act.
Invest in Proper Data Hygiene Practices Now
Data minimization is no longer an aspirational feature of an organization's approach to privacy. Similarly, data security is not something an organization does only to reduce exposure from a potential data breach. Data minimization and security have become an independent obligation that organizations ignore at their own peril. Now, more than ever, is the time for organizations to carefully evaluate the records they retain and for what purpose. They should develop and document processes to ensure data, especially personal and sensitive data, is disposed of once it no longer serves a business need.
To achieve a healthy information lifestyle, organizations should:
- Revisit and re-evaluate their records retention policies and procedures.
- Update data maps.
- Assess the maturity of their overall information governance systems and programs.
It is also critical that changing practices affecting the retention of personal data are not misaligned with written policies and procedures. The only thing worse than not having a robust information governance program is having a set of policies and procedures that the organization does not follow due to confusion or inconsistency.
Two key component of a svelte information profile is to:
- Mindfully tackle data lakes (meaning, centralized repositories for data storage at scale) and offsite records storage facilities.
- Develop strategies for the defensible disposition of ROT.
The recent legal and regulatory pressures should act as a powerful catalyst for change and provide the motivation necessary to overcome the decision paralysis that organizations often face when challenged to mindfully pursue defensible disposition.
The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.