Data Minimization Meets Defensible Disposition: Just Say No to ROT and Over-Retention of Personal Information
Like a good diet and regular exercise for the body, data minimization and routine, defensible purging of outmoded documents are essential to maintaining healthy organizational information hygiene. Data has a useful life. For some vital corporate records, that useful life could be nearly infinite. But for the vast majority of data, there is a point at which it no longer has business value. As data ages, the likelihood of it ever being accessed again decreases exponentially. Eventually, almost all of it becomes redundant, obsolete, or trivial (“ROT”).
Continued ownership of digital debris constitutes a significant and growing expense. Raw storage space may be cheap, but due to the increasing costs of security, labor, migration, maintenance, etc., the total cost of ownership of enterprise data has trended upward. Even if the trend reverses, the trajectory of increasing data volumes is unlikely to abate. Indeed, enterprise data is currently doubling every 24 months.
Moreover, obsolescent data can have negative value due to the possibility of a data breach. Unnecessary retention of personally identifiable information (PII), protected health information (PHI), payment card industry data (PCI), and a host of other consumer, employee, and business information exposes organizations to criminal, civil, and regulatory penalties. While legislative and regulatory activity had historically been focused on relatively established requirements of what organizations must keep (e.g., for tax purposes), legislators and regulators are now also focused on quickly evolving requirements of what data organizations may obtain, the manner in which they obtain it, for how long they may keep it, and how they must protect such data. Consequently, organizations are not simply spending money to store data that lacks value; they are spending money to perpetuate latent liabilities that grow more serious with time.
In short, the legislative and regulatory environment has shifted. Spearheaded by new data privacy and cybersecurity mandates, organizations are increasingly permitted only to collect personal data they absolutely need, only use it for the explicit purposes for which it was collected, and then appropriately dispose of personal data as soon as it is no longer reasonably needed. Organizations that stray from these data minimization dictates do so at their peril. As a result, the defensible disposition of ROT and personal data, in particular, should be viewed by many organizations with renewed interest and a sense of urgency.
The Rise of Defensible Disposition
Information governance is fundamentally a business function. The Supreme Court recognized this in the Arthur Andersen LLP v. United States decision when it stated that “[u]nder ordinary circumstances, it is not wrongful for a manager to instruct his employees to comply with a valid document retention policy, even though the policy, in part, is created to keep certain information from others, including the Government.” Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005). Many other courts have likewise recognized that records retention policies serve important and legitimate business purposes. Decisions regarding data retention and disposition should be made sensibly, because the yardstick by which an organization’s conduct will be measured is reasonableness. Perfection is neither expected nor even possible.
Nevertheless, corporate initiatives to remediate large volumes of ROT are often paralyzed by concerns that such information might include documents relevant to a future legal or regulatory proceeding. But the measure is not whether an organization applied its framework for retention and disposition with certainty that no relevant data was lost, it is whether the organization’s processes were reasonable under the circumstances. In this context, sensible, consistent, programmatic, and documented disposition are hallmarks of reasonableness.
It may also be dauntingly difficult to know how and where to begin. But reasonable retention is also not an all-or-nothing proposition. The fact that it is neither practical nor even possible to identify and purge all ROT in an organization does not mean that significant gains cannot be made through tactical initiatives targeting particular data stores. Many organizations can achieve significant reductions in hard and soft costs simply by adopting a framework for classifying information created and received going forward, remediating their most readily identifiable and addressable ROT, and assigning conservative retention periods to the remainder of their existing data so that the less readily identifiable ROT is remediated over time.
Even an organization that is unable to address the ROT in its existing information stores can make significant progress toward reasonable retention by developing and implementing a sound framework for classification, retention, and disposition of information not yet created or acquired. By classifying and otherwise managing information created and received going forward and implementing the policies, procedures, and technologies necessary to retain and dispose of information in accordance with such classifications, the organization sets a course that, over time, will see unclassified legacy information “age out” and current, properly classified information managed effectively in accordance with the organization’s business needs and legal and regulatory obligations.
The Advent of Data Minimization Mandates
As previewed above, defensible disposition and data minimization are no longer just “nice to do” but have become a “must do” for many organizations, especially when it comes to personal and sensitive data. Governments, both domestic and foreign, have adopted regulations and requirements mandating data minimization in the context of privacy and “personal information” of consumers. While the details vary, jurisdictions are increasingly adopting mandates that boil down to two basic concepts: (1) companies must not collect more personal data than necessary to fulfill a legitimate purpose, and (2) they must not keep what they have collected any longer than necessary to serve that purpose.
As with many aspects of privacy regulation, the European Union’s General Data Protection Regulation (“GDPR”) led the way in data minimization. Article 5 of the GDPR provides six “principles relating to processing of personal data,” and two directly address data minimization. Article 5(1)(c) provides that personal data must be “limited to what is necessary in relation to the purposes for which they are processed.” Article 5(1)(e) provides that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” And in the event covered organizations were in any doubt that data minimization is the name of the game, Recital 39 spells out that the Article “requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.” While not the focus of this article, organizations should bear in mind that other foreign jurisdictions around the world are also implementing these kinds of data minimization requirements.
The broad reach of the GDPR means U.S.-based companies that handle the personal data of European residents need to comply with these mandates or risk significant fines and penalties. But even purely domestic organizations are now firmly on the hook when it comes to data minimization. Since the GDPR came into effect, several U.S. jurisdictions and regulatory agencies have adopted privacy-related requirements that largely followed the E.U.’s lead on data minimization. The primary domestic sources of data minimization mandates that U.S. companies currently need to be concerned with are as follows:
- The California Privacy Rights Act (“CPRA”): Effective January 1, 2023, the California Privacy Rights Act (“CPRA”) will amend and supplement the California Consumer Privacy Act (“CCPA”) in many important ways. Significantly, the CPRA contains the first explicit data minimization requirement of any U.S. privacy law. For-profit businesses with over $25 million in annual revenue or that do major business buying or selling personal information of consumers must comply with the CPRA if they handle the data of any California consumers. The CPRA requires that companies disclose to consumers what personal data the company collects, for what purpose, and how long the data is kept. Section 1798.100(a)(1) – (3) of the statute then provides that a company “shall not collect additional categories of personal information or use personal information collected for additional purposes” beyond the disclosed purpose, and “shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.” Over-retention of personal data is also forbidden by Section 1798.100(c), which further mandates that the “collection, use, retention and sharing” of personal information shall be “reasonably necessary and proportionate” to achieve the business purpose for which the information was collected or processed.
- Virginia, Colorado, Utah, and Connecticut Consumer Privacy Laws: Also slated to become effective in 2023, comprehensive consumer privacy legislation recently adopted by Virginia, Colorado, Utah, and Connecticut similarly promote a policy of data minimization for covered organizations by requiring that “a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”
- The New York Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act: Companies that own or license private information of New York residents must comply with the SHIELD Act’s requirement to “implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” Organizations can comply with that requirement by implementing a data security program with certain defined features, one of which is that the organization “disposes of private information within a reasonable amount of time after it is no longer needed for business purposes.” N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4).
- The Illinois Biometric Information Privacy Act (“BIPA”): While not a newcomer, and focused on biometric information and identifiers, it should be noted that BIPA requires that “a private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.” 740 ILCS § 15(a). As a parade of class action lawsuits over recent years have shown, failure to comply with BIPA’s mandates can potentially result in steep statutory penalties and fee awards.
- The Federal Trade Commission: Section 5 of the FTC Act, which applies to “all persons engaged in commerce,” prohibits engaging in “unfair methods of competition” and “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C.A. § 45(a)(1). While that may not sound like a data minimization mandate on its face, the FTC has considered unreasonable data security practices to qualify as an “unfair or deceptive” practice—including, as discussed further below, collecting consumer data and retaining it longer than can be justified by a legitimate business purpose.
In addition, the FTC recently updated its Safeguards Rule, which applies only to financial institutions. The update, which goes into effect in December 2022, will require financial institutions to implement procedures for “the secure disposal of customer information” within two years of that information being last used unless keeping it longer is necessary for a legitimate business or legal purpose. 16 C.F.R. § 314.4(c)(6)(i).
Penalties for Over-Retention Of Personal Data Are Becoming More Prevalent
Given these legislative and regulatory mandates, organizations that fail to practice good data hygiene and over-collect or over-retain consumer data run a significant risk of drawing regulator attention—and potentially hefty penalties. Regulators have demonstrated an increasing willingness to enforce these data minimization mandates, with three recent developments in 2022 illustrating the trend.
First, in January, the New York Attorney General reached a settlement with vision benefits provider EyeMed related to a 2020 data breach in which hackers accessed an EyeMed email account, ultimately exposing the personal information of over two million consumers. The email account contained emails dating back six years, many of which contained sensitive personal and health information of individual patients. The Attorney General, pointing to the SHIELD Act’s data minimization mandate, alleged that it was “unreasonable to leave personal information in the affected email account for up to six years” rather than copying it to a more secure location or deleting older messages from the account. As part of the settlement, EyeMed paid for the oversight by taking on a host of onerous prospective obligations—and by paying a $600,000 penalty.
Next, in February of 2022, the FTC brought a complaint in California federal court against two companies related to what used to be called Weight Watchers (Kurbo Inc. and WW International). The companies offer weight management services through an app, and collected personal information from consumers, including children. The FTC alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) based on failure to get parental consent when gathering personal information of minors, and also labeled it an unfair trade practice under the FTC Act and the COPPA rules that the companies had retained the minors’ personal data so long—indefinitely at first, then later for three years. The companies settled the action in March by agreeing to delete personal information collected from children and pay a $1.5 million penalty.
Most recently, in June 2022, the FTC finalized an order in its enforcement action against owners of online custom merchandise platform CafePress related to a data breach. Among many other data security practices the FTC alleged were deficient, the agency claimed that CafePress “created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need.” The FTC considered the indefinite retention of data to have rendered false or misleading the company’s assurances to customers that their data would be secure, and also identified the failure to minimize data as one of the “unfair or deceptive practice[s]” that made CafePress liable under Section 5 of the FTC Act. As with the two enforcement actions discussed above, the settlement with the FTC required adoption of stronger data security measures and the payment of a penalty—in this case, $500,000.
This trend is almost certain to continue and will likely pick up steam. While the federal American Data Privacy and Protection Act is still being debated, section 101 of the discussion draft imposes an express duty of data minimization, mandating that covered entities “shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to” the provision of requested services or “a purpose expressly permitted by this Act.”
Now, More Than Ever, Is The Time To Invest In Good Data Hygiene Practices
As these developments make clear, data minimization is no longer aspirational. It has become an obligation that organizations ignore at their significant peril. Now, more than ever, is the time for companies to carefully evaluate what they are keeping and why, and to develop and document processes to ensure data—especially personal and sensitive data—is disposed of once it no longer serves a legitimate business need. In sum, “just say no” to ROT. Do not let your organization be (or become) the data equivalent of the last scene of the classic 1981 movie, “Indiana Jones And The Raiders Of The Lost Ark.”
A good first step to achieving a healthy information lifestyle is for organizations to revisit and re-evaluate their records retention policies and procedures, update data maps, and assess the maturity of their overall information governance systems and programs. In this regard, it is critical that changing practices regarding retention of personal data are not misaligned with written policies and procedures. The reason being, the only thing worse than not having a robust information governance program is having a set of policies and procedures that are not followed. Another key component of maintaining a svelte information profile is to mindfully tackle “data lakes” and/or offsite records storage facilities to develop strategies for the defensible disposition of ROT. The new legal and regulatory pressures described above should be a powerful catalyst for change and provide the motivation necessary to overcome the decision paralysis that organizations often face when challenged to mindfully pursue defensible disposition and “just let it go.”
Martin Tully is a partner in the Chicago office of Redgrave LLP. He is a nationally recognized attorney with over three decades of experience representing companies and individuals in complex and high-stakes commercial litigation. His extensive focus and knowledge of e-discovery, information governance, and data privacy and cybersecurity have established him as a force in the information law space. He can be reached at mtully@redgravellp.com. Nick Snavely is also a partner in the firm in the Chicago office. He counsels clients on complex matters related to information law and guides clients through every stage of discovery, including negotiations with opposing parties and third parties. He can be reached at nsnavely@redgravellp.com.
The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.Published in Cybersecurity Law & Strategy and Law.com
By Martin Tully and Nick Snavely