Data retention. It’s not something that excites and invigorates businesses. But it is a necessary cost of doing business, not only to ensure one retains certain data for as long as each applicable law requires, but also as an increasingly important risk mitigation strategy.

Determining how long to retain a type of data or record depends on several factors. Various laws and regulations mandate that businesses retain certain records and data for minimum time periods. Statutes of limitation on certain types of claims also guide businesses as to how long to retain certain data. Conversely, privacy laws have always included a component of data minimization requiring businesses not to “hoard” data. Taken as a whole, these different rules require businesses to strike the right balance between retaining data for at least the properly mandated period and not retaining it for longer than necessary. Now, getting this right is even more important with the increasing risks of class action lawsuits for data security breaches. Quite simply, the more data you have, the more data you can lose. Having bastions of data will further complicate the tracking of data that may have been accessible to or taken by an unauthorized third party. This is one reason why, despite requirements to promptly notify individuals that their data was accessed in a security breach, businesses may take months to provide the notifications to individuals.

Two years ago, a client suffered a data security breach when their entire IT system was infiltrated through a single employee’s computer. The company’s HR systems were hacked, as well as the systems holding the company’s customer and user records. The HR systems housed highly sensitive data, including social security numbers and driver’s license information, on past and present employees, including information of former employees dating back more than 15 years. The company also retained customer and user data (which also included some sensitive information) ”indefinitely” – the rationale being that the business development team might want to reach back out to lapsed customers, even if their last purchase was more than 10 years past. A bifurcated and thoughtful data retention policy, such as one mandating the retention of customer name and email contact only and within a limited time frame, could have helped to reduce the company’s notification obligations with respect to the unauthorized access. In this particular case, there really was no legitimate need to retain such sensitive data or prior customers’ data for so long.

Companies increasingly store and rely on vast quantities of data collected through different channels, and in the absence of a data retention policy – one that is enforced within the company – data can become a huge liability. Many companies tend to worry about the risks associated with permanently deleting data rather than those associated with retaining too much data. However, with increasingly stringent privacy laws, having a data retention policy in place is step number one in order to strike the proper balance. Data retention policies are critical in helping to ensure that businesses delete data that is no longer warranted while retaining what is required or necessary, but also to manage proper compliance with various legislative requirements. At a high level, a data retention policy should:

  • Designate stakeholders within the company to address data retention rules and needs.
  • Identify the types of data that are collected and retained. This is the foundation of any privacy program.
  • Identify applicable laws and data retention versus minimization mandates. For most companies, this will mean identifying (and balancing) quite a few laws or regulations across various sectors – tax, HR, privacy etc. – and possibly across multiple jurisdictions.
  • For each type of data, describe the length of time that it should be retained as well as the format in which it should be stored – in the absence of a legal requirement to retain the data, aim at minimization.
  • Where applicable laws require the company to honor consumer deletion rights, these should also be addressed in the policy.
  • Identify who, within the company, has the authority to delete data, and the process by which to dispose of data once the retention period is up.
  • Make sure that staff are trained and understand how data should be collected, retained and stored.

Data retention policies will enable companies to keep what is needed and shed what is no longer – thereby reducing risks in the event of a security breach. Not only is there an increasing risk of class actions with respect to data security breaches with laws such as the CCPA that carry a private right of action with statutory damages, but state attorney generals also bring enforcement actions against companies for failing to adequately secure data when such failure results in a security breach. Even if a security breach does not immediately result in an investigation, regulators are watching. Just recently, the California Attorney General settled with Anthem, Inc. in a case stemming from Anthem’s failure to maintain reasonable security measures, which lead to a 2014 data security breach, as announced here. With the CCPA and follow-on similar laws, as well as more sophisticated bad actors improperly accessing data, we can be sure that we will see more class actions and enforcement actions for data security breaches in the future.