When we are retained by clients to guide them through a cyber-attack in which information has been stolen by a threat actor, we almost always find that the client has unnecessarily stored sensitive information far beyond the period for which it required that data. There are two key problems with this approach (or lack thereof) to data retention: (1) in the face of a cyber-attack where criminals steal your information, the organization is incurring unnecessary costs and potential exposure to claims by retaining information it does not need, and (2) when it comes to personal information, retention beyond the required period can itself give rise to regulatory investigation and penalties, and to litigation claims.
The practice of over-retention can be particularly costly if the organization is storing, for example, social insurance numbers of all past employees going back decades, or copies of drivers’ licenses that it no longer needs. By storing this information beyond the required period, the organization exposes itself to increased costs in the face of a data breach. In particular, it may incur increased expert costs to review and determine the scope of compromised information, costs of notifying more individuals than it otherwise would have had to, and possible credit monitoring costs. Moreover, the relationship to the data subject can impact how they receive a data breach notification. A notification is likely to be received very differently by a current employee who has a sense of loyalty to the employer as compared to a former employee who did not know that the former employer continued to retain their information.
In addition to an increased headache and costs of dealing with a breach of information the organization did not need to retain, the organization may have regulatory exposure for retention of information beyond the period it reasonably required the information. Under privacy legislation, organizations are obliged to limit retention of data for the period of time required to meet the appropriate purpose for which the data was collected or generated, and which purpose was identified at the initial time of collection. That is, an organization can only retain information for the specified purpose disclosed to the data subject at the time of collection. When the information is no longer required to fulfill that purpose, or it is not otherwise required to retain the information by law or contract, the organization is obliged to permanently destroy the information.
In circumstances where organizations notify a privacy commissioner of a data breach, questions are often asked by the privacy commissioner that reveal whether the organization is offside its obligations to minimize data retention. That is, the failure to minimize data retention will often quickly surface during an inquiry by a privacy commission office. The failure to minimize data retention can give rise to regulatory fines or orders, and litigation claims. In a scenario of a class action arising from a data breach, the class size may be larger than it needed to be had the organization appropriately limited data retention.
The appropriate retention period for personal information is not dictated as an exact number to be used across every circumstance of collection. It is the responsibility of the organization which determines the purpose for which information is collected to determine what is the appropriate retention period. The purpose for the collection/generation of information typically guides this determination. Subject to regulatory or contractual obligations to retain information, personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous. For example:
In developing protocols to put your data minimization into action, here are questions your team should be asked to address:
If you have questions about cybersecurity risk management, reach out to Bennett Jones' Data Governance Protection and Cybersecurity group.