Data Minimization – Recent Enforcement Actions Show Why Some Companies Need to Get Rid of Old Electronic Records

by Avi GesserJohanna Skrzypczyk, and Michael R. Roberts

Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they collect and maintain. In this post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations.

Recent Data Minimization Enforcement Actions

In January 2022, the New York Attorney General (“NYAG”) reached a $600,000 settlement with EyeMed related to a 2020 data breach in which attackers gained access to an EyeMed email account that contained sensitive customer data for a period of six years. The NYAG found multiple violations of the New York SHIELD Act, which requires businesses to “dispose[] of private information within a reasonable amount of time after it is no longer needed for business purposes.”  The NYAG alleged that it was unreasonable for EyeMed to leave personal information in the affected email account for up to six years rather than copy and store such information in more secure systems and delete the older messages from the affected email account.

In February 2022, the FTC filed a complaint against WW International Inc., formerly known as Weight Watchers, and its subsidiary Kurbo. The FTC alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) Rule and Section 5 of the FTC Act, based on the company’s collection and retention of personal information from children without proper notice and consent. Until August 2021, the companies retained children’s personal information indefinitely, unless requested by a parent to dispose of it. Starting in August 2021, the companies retained the data for three years, even if the user’s account had been dormant for multiple years. The companies agreed to pay $1.5 million for various data violations including “retaining personal information collected online from a child for longer than reasonably necessary to fulfill the purpose for which the information was collected.” Under the settlement, the companies must also set a time frame and criteria for deletion of such information, which may not exceed one year after the last instance of a user tracking food, weight, or activity intake, and make information about the retention schedule publicly available on their website and through notice to parents.

Regulatory Requirements

United States

 Under Section 5 of the Federal Trade Commission (the “FTC”) Act, engaging in unreasonable data security practices, including retaining data for longer than necessary for a legitimate business or legal purpose, is considered an unfair practice. In 2021, the FTC updated and strengthened the Safeguards Rule, which requires disposal of customer information. The final rule, in section 214.4(c)(6)(i), “require[s] the deletion of customer information two years after the last time the information is used in connection with providing a product or service to the customer unless the information is required for a legitimate business purpose” and “requires financial institutions to periodically review their policies to minimize the unnecessary retention of information.”  This obligation becomes effective on December 9, 2022. 

The New York SHIELD Act requires covered businesses to implement a data security program that includes disposal of private information “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.” Failure to comply is deemed a violation of New York’s prohibition against unfair or deceptive acts or practices.

The New York Department of Financial Services (the “NYDFS”) Cyber Rules require regulated financial entities to include policies and procedures in their mandated cybersecurity program for the secure disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes and does not need to be retained pursuant to a law or regulation. A senior officer or director of the regulated entity must certify compliance with the NYDFS Cyber Rules annually, including the data minimization obligation.

The Illinois Biometric Privacy Act (“BIPA”), requires that private organizations that have biometric identifiers and information must “develop a written policy, made available to the public” that establishes a “retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.”

The California Privacy Rights Act (“CPRA”), which largely becomes effective on January 1, 2023, requires that “a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.” The Virginia Consumer Data Protection Act (“VCDPA”), effective January 1, 2023, and the Colorado Privacy Act (“ColoPA”), effective July 1, 2023, contain similar data minimization requirements: a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data is processed.

European Union and United Kingdom

 Article 5/1/e of the GDPR provides that data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Under this requirement, businesses need to establish time limits for data deletion and to institute a periodic review of the necessity for continued data retention. Individuals also have a right to obtain information about the storage periods. The UK Data Protection Act of 2018 has a similar provision.

Challenges for Companies Wanting to Get Rid of Old Data

Corporate Cultural Impediments: Due to departing employees and passing years, employees at companies often do not know why certain data was collected, what information is contained in various databases, what company data is in the possession of vendors, or why certain data has been maintained up until now—all of which results in the choice to simply continue to retain data out of an abundance of caution. In addition, many employees, including senior executives, like to hold on to old data ‘just in case,’ especially for potential AI and big data projects. For these reasons, many companies have not implemented strict policies requiring the deletion of old data, and the businesses that have such policies often experience low rates of compliance.

Ownership and Budget: Getting rid of large data sets does not fall neatly into any particular business function. Moreover, various parts of the organization (e.g., Legal, Compliance, IT, Business, and Risk) often have different views on what should be deleted, how that should be done, and who should pay for the costs associated with that process. For each individual decision to retain a particular data set, the costs of that retention and storage seem minimally burdensome and inexpensive. But the cumulative effect of these decisions to keep particular data sets is a substantial increase in an organization’s total data volume, which can be very costly and increase cyber, privacy, and litigation risk.

Legal and Regulatory Holds: Legal obligations to keep certain documents for litigation or regulatory compliance can complicate efforts to delete old documents, especially for litigations where the conduct at issue covers lengthy periods of time and involves documents collected from several different custodians. Many lawyers remember the Arthur Andersen case, in which one of the largest accounting firms in the world dissolved following the deletion of documents that were relevant to various government investigations. As a result, the view developed that it is safest not to delete anything that could one day be relevant to litigation or an investigation. In practice, that meant that many companies began preserving virtually all of their documents because they were uncertain whether any large data set contained documents that could be relevant to some future litigation or regulatory action.

Six Tips for Overcoming the Challenges of Getting Rid of Old Data

Start Small: Consider imposing modest data retention restrictions at the outset rather than pursuing an ambitious, broad strategy. Some organizations have had success with their data minimization efforts by starting small and implementing policies that they are confident the business will follow. Those companies recognize that it is riskier for them to have an ideal policy, but with a low rate of actual compliance, than it is to have widespread compliance with a “good enough for now” policy. It is often easier to expand on a successful, albeit limited, program than it is to improve compliance with an unsuccessful, comprehensive one.

Recognize That Preservation Rules Have Changed: Reassess the legal risks of keeping various large sets of old data against the risks of deleting them. Because of the dramatic proliferation of electronic data since the Arthur Andersen case, as well as the related cyber and privacy risks associated with large data sets, the rules on data preservation have changed. In the United States, Federal Rule of Civil Procedure Rule 37(e) was amended in 2015 to provide that, if electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, then courts may order measures no greater than necessary to cure the prejudice. Under that Rule, the most severe sanctions are limited to situations where a party intentionally deprived the other side of the information. Recent decisions demonstrate the shift in thinking about spoliation claims as courts declined to impose sanctions on companies that have deleted old data in good faith but, in doing so, may have inadvertently deleted information that was relevant to the litigation. See Wai Feng Trading Co. Ltd. v. Quick Fitting, Inc., 2019 WL 118412 (D. R.I. Jan. 7, 2019) (denying Quick Fitting, Inc.’s motion that the court make a finding of spoliation as to 24 categories of electronically stored information and other physical evidence due to a lack of evidence that the adverse party intentionally deprived Quick Fitting of the information); see also Hardy v. UPS Ground Freight, Inc., 2019 WL 3290346 (D. Mass. Jul. 22, 2019) (denying a motion to compel plaintiff to provide a forensic image of his cell phone as a sanction for spoliation of text messages for lack of evidence that plaintiff acted with intent to destroy evidence relevant to the litigation); Martin v. Wetzel (W.D. Pa. Nov. 25, 2020) (denying motions for sanctions for failure to preserve video evidence because the court found there was no evidence of bad faith since the video was automatically overwritten).

Manage Expansive Legal Holds: Some companies have legal hold notices in place that cover documents that are more than 10 years old, which significantly complicates efforts to get rid of old data. Those companies should consider exempting certain employees who are likely to have documents responsive to the legal holds from the data minimization program until the legal hold is lifted. If the legal hold covers a large number of employees, then organizations can consider using the newest data analytics programs to find and isolate the documents that could be relevant to a litigation from the documents that are not and, therefore, can safely be deleted.

Automate the Deletion of Very Old Files: Some organizations have had success getting rid of old data by automatically deleting files that are older than a certain time period rather than relying on individuals to actively delete documents in accordance with policy, which can result in low organizational compliance rates. For automatic deletion programs, the cutoff date should be chosen so as to minimize the risks of deleting documents that should be preserved for litigation or regulatory purposes. Companies usually start with a very easy and safe deletion period (e.g., all documents older than 15 years) to test the program and then incrementally expand the deletion period over time (e.g., all documents older than 7 years).

Limit the Ability to Circumvent Deletion: Organizations implementing automatic deletion programs should provide employees with several weeks’ advance notice that electronic files in their possession that are more than a certain number of years old will be deleted on a particular date. Employees can be provided a folder in which they can archive a portion of their files that would otherwise be deleted. However, this folder should be limited in size so that employees cannot effectively circumvent deletion altogether by transferring all of their old data to that folder.

Protect the Data Being Retained: For data sets that cannot be deleted because of legal, regulatory, or business needs, companies should consider taking certain steps to reduce the cyber and privacy risks associated with retaining those documents. One possible protection involves the use of software to search for large pockets of personal information in the files that are being retained and either moving those files to a secure archive or implementing an additional layer of protection for those files, such as encryption or pseudonymization.

Conclusion

In the last few years, data minimization has evolved from one of the ways that some companies reduce their data security and privacy risks, to a regulatory requirement for most companies. As a result, for most organizations, it is now riskier to hold on to all their old data than it is to delete it.  But, identifying what data should be deleted, and how best to do so, is a complicated exercise that is best done incrementally and thoughtfully.

Avi Gesser is a partner, Johanna Skrzypczyk is counsel, and Michael R. Roberts is an associate, at Debevoise & Plimpton. The authors would like to thank Debevoise law clerk Emily Harris for her contributions to this post. This post originally appeared on Debevoise’s Data Blog.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.