Wednesday, September 5, 2018

Don't Store Information That Serves No Legal Or Business Purpose


Data Privacy is the right to control the collection, sharing and destruction of information that can be traced to an individual. In general, data privacy is more comprehensively protected outside of the United States, particularly in the European Union member states, where the Data Protection Directive provides significant restrictions on the processing and transfer of personal data, and other countries including Argentina, Canada, Israel, Switzerland and Uruguay. In the US, the approach to data privacy is generally contractual, and does not enjoy the same level of generic legal protections. Disparate laws in the United States do, however, mandate protections for specific types of data or target different groups. Examples include: patient records under the Health Insurance Portability and Accountability Act (“HIPAA”), financial information under the Graham-Leach-Bliley Act (“GLBA”), and prohibitions on the collection of information about children younger than 13 years old, under the Children's Online Privacy Protection Act (“COPPA”).

In light of the intensifying threat environment that businesses operate in, a security best practice is to: only keep what you need. In other words, in the absence of legal or regulatory requirement to store data, don’t keep data that serves no purpose.

A sound strategic objective of a corporate organization is to dispose of information no longer required for compliance, legal hold purposes, or in the ordinary course of business. If there is no legal retention obligation, information should be disposed as soon as the cost and risk of retaining the information is outweighed by the likely business value of retaining the information…Typically, the business value decreases and the cost and risk increase as information ages.”

The courts have also held that a business that destroys data as part of its normal data retention / data destruction policy cannot be held liable for doing so as long as there was no legal duty to preserve the data to begin with. -- See:  Barnett v. Deere & Co., No. 2:15-CV-2-KS-MTP, 2016 WL 4544052 (S.D. Miss. Aug. 31, 2016) (declining to impose sanctions for the destruction of relevant documents pursuant to Defendant’s document retention policy at a time when there was no duty to preserve and, in its discussion of bad faith, noted that the court “does ‘not draw an inference of bad faith when documents are destroyed under a routine policy’”); Zubulake v. UBS Warburg LLC, 2003 U.S. Dist. LEXIS 18771, at *8 (S.D.N.Y. Oct. 22, 2003) (“It goes without saying that a party can only be sanctioned for destroying evidence if it had a duty to preserve it.”)
--




No comments:

Post a Comment

Note: Only a member of this blog may post a comment.