Introduction

Much has been written recently on the increased cybersecurity and privacy risks that companies are facing. One of the most effective ways for organizations to mitigate those risks is to significantly reduce the amount of data that they collect and maintain. Having less data means that there is less sensitive information to protect from hacks or leaks which is why regulators are increasingly focused on the following data minimization requirements:

  • Collecting only the data that you actually need;
  • Using collected data only for authorized purposes; and
  • Retaining only data that you actually need.

Companies that have failed in the third element of data minimization, effectively getting rid of old data, have recently been the subject of regulatory action. In this Data Blog post, we discuss the regulatory requirements for getting rid of old data and offer six tips for complying with this new and difficult obligation.

Regulatory Requirements and Enforcement Actions

United States

Under Section 5 of the Federal Trade Commission (the “FTC”) Act, retaining data for longer than necessary for a legitimate business or legal purpose is considered an unfair practice. On November 12, 2019, the FTC fined InfoTrax Systems, L.C. for, among other deficiencies, “fail[ing] to have a systematic process for . . . deleting consumers’ personal information . . . that is no longer necessary.” In that case, the deletion of personal data it no longer needed would have significantly reduced the impact of a data breach that InfoTrax suffered that affected roughly one million of its customers.

The Data Security Requirements of the New York Shield Act, which became effective on March 21, 2020, provide that businesses that have private information of New York residents must “dispose[] of private information within a reasonable amount of time after it is no longer needed for business purposes . . . .” Although the Act does not create a private right of action, failure to comply is deemed a violation of the state’s prohibition against unfair or deceptive acts or practices.

The New York Department of Financial Services (the “NYDFS”) Cyber Rules—effective since September 2018—require regulated financial entities to include policies and procedures in their mandated cybersecurity program for the secure disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes and does not need to be retained pursuant to a law or regulation. A senior officer or director of the regulated entity must certify compliance with the Rules annually, including the data minimization obligation.

European Union and United Kingdom

Article 5/1/e of the European General Data Protection Regulation (the “GDPR”) provides that data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Under this requirement, businesses need to establish time limits for data deletion and to institute a periodic review of the necessity for continued data retention. Individuals also have a right to obtain information about the storage periods.

On October 30, 2019, the German Supervisory Authority of the State of Berlin (the “Supervisory Authority”) fined Deutsche Wohnen SE, a real estate company, 14.5 million euros for violating the GDPR storage limitation principle. Despite prior warnings from the Supervisory Authority, the company continued to store personal data of tenants—including old salary and bank statements as well as tax, social security and health insurance data—that were no longer needed to serve the initial purpose of their collection. In its press release, the Berlin Commissioner stated that the Supervisory Authority frequently comes across what it describes as “data graveyards” and reiterated that the GDPR data minimization principles are meant to help companies reduce the risks associated with cyber attacks and other data security incidents. It is important to note that a substantial fine was imposed without any specific example of harm to anyone, and there was no indication that the company collected too much data in the first place. Rather, it was fined for not getting rid of data that it lawfully collected but no longer needed—a criticism that can be made of many companies.

Complying with Data Minimization Requirements

Challenges to Effective Data Minimization

Entities that are required to get rid of large amounts of old data face cultural, budgetary, legal and other practical challenges:

  • Corporate Cultural Impediments. Due to departing employees and faded memories, employees at companies often do not know why certain data was collected, what information is contained in various databases or servers, what company data is in the possession of vendors and other third parties or why the data has been maintained up until now—all of which result in the choice to simply continue to retain data out of an abundance of caution. In addition, many employees, including senior executives, like to hold onto old emails and documents “just in case,” thereby creating difficulty in achieving widespread compliance within the organization. For these reasons, many companies have not implemented policies requiring the deletion of old data, and the businesses that have implemented such policies often experience low rates of compliance.
  • Ownership and Budget. Getting rid of large data sets does not fall neatly into any particular business function. Moreover, various parts of the organization (e.g., Legal, Compliance, IT, Business and Risk) often have different views on what should be deleted, how that should be done and who should pay for the costs associated with that process. For each individual decision to retain a particular data set, the costs of that retention and storage seem minimally burdensome and inexpensive. But the cumulative effect of these many decisions to keep a particular data set is an enormous increase in an organization’s total data volume, which can be very costly and increase cyber, privacy and litigation risk.
  • Legal and Regulatory Holds. Legal obligations to keep certain documents for litigation or regulatory compliance can complicate efforts to delete old documents, especially for litigations where the conduct at issue covers lengthy periods of time and involves documents collected from several different custodians. Many lawyers remember the Arthur Andersen case, in which one of the largest accounting firms in the world dissolved following the deletion of documents that were relevant to various government investigations. As a result, the view developed that it is safest not to delete anything that could one day be relevant to litigation or an investigation. In practice, that meant that many companies began preserving virtually all of their documents because they were uncertain whether any large data set contained documents that could be relevant to some future litigation or regulatory action.

Six Tips for Overcoming the Challenges of Getting Rid of Old Data

  1. Start Small. Consider imposing modest data retention restrictions at the outset, rather than pursuing an ambitious, broad strategy. Some organizations have had success with their data minimization efforts by starting small and implementing policies that they are confident that the business will follow. Those companies recognize that it is riskier for them to have an ideal policy, but with a low rate of actual compliance, than it is to have widespread compliance with a “good enough for now” policy. It is often easier to expand on a successful, albeit limited, program than it is to improve compliance with an unsuccessful comprehensive one.
  2. Recognize That Preservation Rules Have Changed. Reassess the legal risks of keeping various large sets of old data against the risks of deleting them. Because of the dramatic proliferation of electronic data since the Arthur Andersen case, as well as the related cyber and privacy risks associated with large data sets, the rules on data preservation have changed. In the United States, Federal Rule of Civil Procedure Rule 37(e) was amended in 2015 to provide that, if electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, then courts may order measures no greater than necessary to cure the prejudice. Under that Rule, the most severe sanctions are limited to situations where a party intentionally deprived the other side of the information. Recent decisions demonstrate the shift in thinking about spoliation claims as courts declined to impose sanctions on companies that have deleted old data in good faith but, in doing so, may have inadvertently deleted information that was relevant to the litigation. See Wai Feng Trading Co. Ltd. v. Quick Fitting, Inc., 2019 WL 118412 (D. R.I. Jan. 7, 2019) (denying Quick Fitting Inc.’s motion that the court make a finding of spoliation as to 24 categories of electronically stored information and other physical evidence due to a lack of evidence that the adverse party intentionally deprived Quick Fitting of the information); see also Hardy v. UPS Ground Freight, Inc., 2019 WL 3290346 (D. Mass. Jul. 22, 2019) (denying a motion to compel Plaintiff to provide a forensic image of his cell phone as a sanction for spoliation of text messages for lack of evidence that Plaintiff acted with intent to destroy evidence relevant to the litigation).
  3. Manage Expansive Legal Holds. Some companies have legal hold notices in place that cover documents that are more than 10 years old, which significantly complicates efforts to get rid of old data. Those companies should consider exempting certain employees who are likely to have documents responsive to the legal holds from the data minimization program until the legal hold is lifted. If the legal hold covers a large number of employees, then organizations can consider using the newest data analytics programs to find and isolate the documents that could be relevant to a litigation from the documents that are not and, therefore, can safely be deleted.
  4. Automate the Deletion of Very Old Files. Some organizations have had success getting rid of old data by automatically deleting files that are older than a certain time period rather than relying on individuals to actively delete documents in accordance with policy, which can result in low organizational compliance rates. For automatic deletion programs, the cutoff date should be chosen so as to minimize the risks of deleting documents that should be preserved for litigation or regulatory purposes. Companies usually start with a very easy and safe deletion period (e.g., all documents older than 15 years) to test the program and then incrementally expand the deletion period over time (e.g., all documents older than 7 years).
  5. Limit the Ability to Circumvent Deletion. Organizations implementing automatic deletion programs should provide employees with several weeks’ notice in advance that electronic files in their possession that are more than a certain number of years old will be deleted on a particular date. Employees can be provided a folder in which they can archive a portion of their files that would otherwise be deleted. However, this folder should be limited in size so that employees cannot effectively circumvent deletion altogether by transferring all of their old data to that folder.
  6. Protect the Data Being Retained. For data sets that cannot be deleted because of legal, regulatory or business needs, companies should consider taking certain steps to reduce the cyber and privacy risks associated with retaining those documents. One possible protection involves the use of software to search for large pockets of personal information (credit cards, social security numbers, etc.) in the files that are being retained and either moving those files to a secure archive or implementing an additional layer of protection for those files, such as encryption or pseudonymization.

Conclusion

In the last few years, data minimization has evolved from one of the ways that some companies reduce their data security and privacy risks to a regulatory requirement for most companies. As a result, for some organizations, it is now riskier to hold on to all their old data than it is to delete it, but identifying what data should be deleted and how best to do so is a complicated exercise that is best done incrementally and thoughtfully.

If you are interested in joining the small group of Debevoise clients who are beta testing the Debevoise Data Portal, please contact us at dataportal@debevoise.com for more information.

***

To subscribe to the Data Blog, please click here.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and complex commercial litigation. He can be reached at agesser@debevoise.com.

Author

Dr. Friedrich Popp is a senior associate in Debevoise's Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law. He can be reached at fpopp@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a member of the firm’s Data Strategy & Security practice. Her cybersecurity and data privacy practice focuses on compliance design, incident preparation and response, and regulatory notification. She can be reached at mxu@debevoise.com

Author

Michael Bloom is an associate in the Litigation Department. He can be reached at mjbloom@debevoise.com.