This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements. As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA.  It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices…

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements. As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data.  Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend. First, some brief context. …

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements. It seems like Data Security 101 to say that there cannot be a security breach of data a business no longer retains.  Carefully managing data retention and disposal is one of the most potent and effective security safeguards for any business.  Yet oddly, U.S. state laws mandating reasonable…

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements. Today’s companion post explores how the California Consumer Privacy Act (CCPA), without statutory provisions explicitly requiring data minimization or storage limitation, nevertheless incents covered businesses to carefully manage retention and disposal of personal information (PI).  But less than two years from now, the script gets flipped, with California…

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements. The California Consumer Privacy Act, effective January 1, 2020, was the Untied States’ first state-level comprehensive data privacy law.  And the CCPA blogging blitzkreig has not been merely hype – the CCPA presages a fundamental shift in U.S. privacy law. The statute was a bit convoluted in its…

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements. Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation.  The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on…

This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.   Forgive me, but to fully appreciate the impact of state data privacy laws on managing records retention and disposing of unnecessary data, a bit of history is needed (if you’re allergic to history, skip this post).  Our focus is through the narrow lens of two key elements of…