Our 2022 Data Security Incident Response Report discussed how businesses can be better positioned to meet the tight data breach notification deadlines now imposed in dozens of countries worldwide. In particular, we highlighted some steps businesses can proactively take to improve their ability to meet these notice requirements, including:

  1. Knowing which international laws and regulatory authorities are applicable to your business;
  2. Recognizing the types of personal data covered by each applicable foreign law;
  3. Clearly understanding your business’s global business profile and compliance posture;
  4. Having basic information commonly requested in notice forms readily available; and
  5. Making sure to account for translation time.

In this blog post, we discuss another proactive step businesses can take to minimize the effects of a personal data breach – avoiding the over-retention of personal data before an incident. Most comprehensive data protection laws, including new U.S. state privacy laws, already have something to say about limiting personal data storage. But cleaning up the personal data your business holds can provide additional benefits, including:

  1. Limiting personal data potentially exposed to a data breach;
  2. Fewer personal data surprises if a data breach happens; and
  3. Better overall understanding of your networks and systems holding personal data, which further enhances the speed with which you can react to a data breach.

If you haven’t read the Recitals to the EU’s General Data Protection Regulation (GDPR) for a while (or ever), Recital 39, which provides additional information relevant to Article 5, includes the following – “The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.” Recital 39 continues on, encouraging businesses to establish time frames for personal data erasure or at least periodic review. GDPR Article 13 goes on to require that people be provided a notice that includes the period that personal data will be stored (or if that is not possible – and many businesses seem to deem this impossible – the criteria used to determine the retention period).

The California Privacy Rights Act (CPRA) Section 1798.100 follows the language of the GDPR in requiring disclosure of the time periods for which a business intends to retain personal information or – if that’s not possible – the criteria used to determine the retention period. Under South Korea’s Personal Information Protection Act and by related decree, the personal data retention period must be disclosed in certain records and notices, and the privacy officer is tasked with ensuring appropriate data deletion. Turkey’s Regulation on Erasure, Destruction, or Anonymization of Personal Data generally obligates data controllers to have a personal data retention and deletion policy, and Turkey’s Personal Data Protection Law requires controllers to provide the maximum retention periods to the regulator as part of the data controller registration. Further, other data protection laws, such as those in Australia, Canada, China, Ghana, Kenya, Mexico and Singapore, require the deletion of personal data when the personal data is no longer needed for a valid purpose or the retention period expires.

Regulatory authorities have taken note of businesses’ failures to establish or to abide by established retention policies and schedules. Regulatory fines for over-retention have covered sensitive personal data, geolocation data, common personal identifiers, video footage, employee monitoring, cookies and every type of personal data in between. For example, in August 2021, following a data breach, Singapore’s Personal Data Protection Commission fined a business for failure to comply with the Personal Data Protection Act’s Retention Limitation Obligation, which “requires an organization to cease retaining data in a form that can identify the individual if the purpose of collection no longer exists, and if no business or legal reason exists for retention.” In this instance, the business did not delete a testing database that was created for the explicit purpose of testing new functionalities, and the business could not adequately justify to the regulator, despite its best efforts, why it needed to keep the testing database. Additionally, the business did not meet its own public privacy notice retention claims, which could have avoided the data breach, as the testing database would have been previously deleted or its personal data anonymized.

Closer to home, the New York SHIELD Act requires the deletion of personal data after that data is no longer needed for business purposes. As part of the settlement following a reported data breach involving consumer data, the New York Attorney General imposed a requirement on the company to permanently delete consumers’ personal data “when there is no reasonable business or legal purpose to retain it.” In the settlement, the Attorney General writes that it was “unreasonable to leave personal information in the affected email account for up to six years rather than to copy and store such information in more secure systems.” And in June 2022, the Federal Trade Commission announced its finalized order against an online retailer, requiring the company to implement, as part of the mandated information security program, “policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures.”

Meanwhile in the EU, Denmark’s data protection authority fined the administrative region of South Denmark following a data breach investigation that uncovered numerous security flaws, among them the over-retention of personal data in temporary storage prior to archiving. France’s data protection authority issued a fine in connection with a data breach investigation that pointed to a rental company’s over-retention of documentation related to unsuccessful rental applicants. Other recent EU data protection authority fines have continued to point to noncompliance due to the over-retention of personal data beyond justifiable need or the data’s validity. Enforcement actions have mentioned personal data retained outside the scope of defined retention periods – both statutory retention periods and those determined by the entity. EU data protection authorities have also cited businesses for not identifying retention periods, providing retention schedules, or even for creating the criteria for retention periods, all of which can lead to the indefinite retention of personal data. Finally, authorities have found fault with businesses’ lack of information given to people who use their services regarding anticipated retention of provided personal data.

Personal data breach notification remains one of the primary ways that a business may end up on a regulator’s radar. Attempting to explain why your business is holding personal data (for example, from defunct user accounts, following data deletion requests, from people who applied to work for you many years ago or from databases you thought had been deleted) is not an enviable position when that personal data turns up during a security incident. Operationalizing your retention policy and schedule to ensure appropriate data deletion is a critical component of data security practices and data management strategy that can help minimize data breach risks and improve overall privacy compliance.