Digital Media and Data Privacy Law Blog

Suffering a data breach is bad enough. As often as it appears to happen, companies that are affected by a breach still shoulder a considerable burden. Management must stop the trains to identify the cause and scope of the breach—and then prepare for the aftermath. Lawyers are involved. The company’s brand is at risk. And the costs—employee time, legal fees, security consultants—quickly escalate.

But what if you determine that your company didn’t really need the information that was exposed? Suppose you find out that the breach involved a file that contained drivers’ license numbers or even credit card information, but your company had virtually no administrative need for that information? Or suppose the data pertained to transactions by young adults 7 years ago – and it is highly unlikely that any of the information is still relevant (much less accurate). This is the kind of discovery that lends insult to injury. Your company is forced to stop and invest significant funds to respond to a data breach relating to data that you don’t have any use for anymore for its marketing or operational efforts.

The surest way to avoid this problem is to review and assess the way you currently collect, retain, and store information. Here are a few items to consider:

·       Collection – Do you really need all of the personal information that you are collecting from consumers? Review your intake procedure and revise it to collect only what you need for operational or marketing purposes. Also, are you even aware of all of the different portals through which your company may be collecting data from consumers? Be sure you’ve done that so that you can assure that you are doing a full assessment. Do you have someone in your organization responsible for tracking the types of data you are collecting and the different processes through which you are collecting the data?

·       Retention – How long are you storing personal information? And for what purposes? Are your practices consistent with PCI standards? What is your current retention policy and are you following it? There are federal and state laws that may govern the retention, disposal or destruction of your data. Be familiar with those laws. Within the confines of applicable laws, be sure you are not holding on to unnecessary or outdated data that would cause you intolerable frustration in the event it was breached. Do you have someone in your organization responsible for overseeing retention and disposal?

·       Third Party Partners and Vendors – If you are sharing personal information with other parties (which, of course, needs to be disclosed to consumers in your privacy policy), be sure that your agreements with those parties contain appropriate safeguards. Are you requiring your vendors to secure personal information and prohibit the disclosure of that information? What happens in the event of the breach? Who bears the cost of notification? Are you vendors required to indemnify you if their mistakes lead to actions against your organization?

There is a simple rule that applies in a data breach: You are what you keep. So be careful with what information you currently collect and retain. Talk to your lawyer about whether certain information that you may consider to be “stale” may be properly and legally disposed. And, more importantly, consider revising your practices going forward so you don’t continue to collect or retain any stale or unnecessary information going forward.