Privacy by Deletion: Five Steps to Reducing Data Risk

When it comes to data retention practices, most companies are stuck in limbo, balancing competing needs between providing easy access to data for business and regulatory purposes and safeguarding data against leakage and breaches. The landscape 10 to 15 years ago was one of gross over-retention, with many practicing a blanket “save everything” approach. That landscape has begun to shift, as the risks associated with data security and data privacy have become paramount for many companies. While money, resources and technology can be directed to “protecting” confidential information from data breaches and data intrusions, the daunting reality is that if a company is retaining sensitive information, including personal information of employees and customers, the most effective protection is to ensure that such sensitive information is deleted when it no longer needed, or is deleted or removed from areas within the organization that do not have adequate protections in place. In sum, data privacy and data security are just one aspect of an effective information governance program.

Regulators are bolstering their efforts around cybersecurity and data risk management, and many are actively engaged in cybersecurity supervision and enforcement, requiring companies to identify data risk, manage data flows and delete data. Numerous bodies have specific fines they can impose for data mishandling, particularly that which includes sensitive customer information. Regulators are closely examining whether companies that house this type of information are managing it correctly, including implementing security controls, managing where and how it is stored and promptly deleting data once it is no longer needed. The SEC has communicated that the severity of fines for data breaches will be partially based on whether the company was storing customer information that was no longer needed.  One financial institution was fined $900,000 by FINRA for not doing enough to ensure data about customers’ trades were handled properly and for failing to protect customer privacy. The SEC hit another financial institution with a $1M fine for alleged failure to adopt written policies reasonably designed to protect customer data, and allowing an employee to access and transfer data to a personal server, which was hacked by third parties. The FTC, CFPB and state regulators are expected to be increasingly more aggressive in policing companies on managing information.