We’re all guilty of it.  We keep things that we don’t need, like that pair of stone-washed jeans from 1992 that you hope will come back into style or your beanie baby collection that you blindly believe might be worth something someday.  While our inability to purge old stuff from our closets may cost us closet space, the repercussions for an organization that hoards data are far more significant.  From a cybersecurity perspective, the more personal information a company maintains, the more information it has to lose.  Consequently, the more information a company loses, the higher the financial and reputational costs.

It’s important to note that some data privacy laws require organizations to only keep data as long as necessary, such as the European Union’s General Data Protection Regulation, the Children’s On-line Privacy Protection Act and the New York Department of Financial Services Cybersecurity Requirements, to name a few.  However, even if those privacy laws do not apply to your organization, there are also other practical considerations for proper information retention.  These considerations include reducing paper and electronic storage costs and keeping litigation costs down during discovery because there will not be excess data to retrieve, search or turn over.

One thing has become clear over the past several years: breaches of electronic data are inevitable.  Certainly, an organization should take all reasonable measures to prevent those breaches but it should also implement a mitigation strategy to ensure that, if there is a breach, there is as little damage as possible.  That mitigation strategy includes incident response planning and training as well as ensuring that an organization only retains the data it needs to operate its business.  This requires that an organization adopt data retention policy.

When creating a data retention policy, organizations need to assess whether it needs all of the information it collects and the applicable legal requirements for retaining such information.  Clearly, if the law requires an organization to maintain records for a particular amount of time (such as medical records or information subject to a legal hold), then the organization must comply.  If there is no legal requirement, then the organization will have to determine the business need for the information and the appropriate length of time to maintain it.

Finally, as with any policy, the organization must implement the policy and ensure that it is destroying data in accordance with that policy – no exceptions for fashion relics or potentially valuable collectibles.

Tags: COPPA, data retention, GDPR, NYDFS, Privacy, risk mitigation
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.

Read more about Daniel J. KaganDaniel's Linkedin Profile
Show more Show less
Related Posts
OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity
April 25, 2017
100 Days from CCPA, Is Your Business Ready?
September 23, 2019
Three Important Considerations For All Businesses in Light of GDPR
May 25, 2018