Data destruction is the process of removing information in a way that renders it unreadable (paper) or irretrievable (digital data). And, while it is critically important for companies to manage data in a way that is effective, defensible, and efficient, people/companies are often hesitant to dispose of data. The cause of the hesitance is varied: why get rid of our beloved data when storage space is inexpensive and retention is easy; how do I determine which data no longer has business value; how do I analyze which data is subject to regulatory obligations or litigation holds in place; who has the time/money to assess these questions. And yet, with data breaches on the rise (See Some Cyber-Musts For Maximizing Security ), the SHIELD Act soon to be in effect (See What is New York’s Data Breach Notification Statute? And Does it Impact Me? ), and the cost of e-discovery in litigation substantial, it is important (and seemingly required by SHIELD) for companies to implement a data disposal policy and practice.
The benefits of having a consistent data destruction policy cannot be overstated. A proper destruction policy will minimize the chances of having to preserve, collect and review inordinately large volumes of data.* In turn, less data to preserve, collect, and review means less expense. Additionally, many of the new data privacy laws require destruction. For example, the SHIELD Act requires the implementation of reasonable safeguards to protect the private information of New York residents. Among the safeguards defined in the Act is a procedure to dispose of private information within a “reasonable amount of time” after it is no longer needed for business purposes. And so it appears that a data destruction policy for companies obligated to comply with SHIELD may be required. And having less data retained means less data is potentially compromised in the event of a breach.
Although every company should consider implementing a destruction policy, whether your company is obligated to take certain steps in destroying that data depends on the regulations that apply to your company. For example, depending on the industry in which you operate, you may have to look to HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, the Fair and Accurate Credit Transactions Act, or the Department of Financial Services for guidance.**
*Often the volume of data subject to a litigation hold (and thus potentially collected, reviewed and produced) is substantial. Many companies have the proverbial packrat – the employee who has not deleted an email since s/he first started working at the company. Because in today’s e-centric world it is not uncommon to have tens of thousands of emails involved in a small litigation, where the entity has a documented destruction policy, imagine the volume when individuals or companies do not have, or do not follow, a data destruction policy.
** These laws, among other things, dictate the period of time for which you need to retain data.