Minimizing Privacy Risk With Data Minimization
While the practice of data minimization isn't exactly new, we're now seeing it resonate and discussed at the forefront of the legal industry for the first time.
September 02, 2019 at 01:00 AM
6 minute read
The original version of this story was published on Corporate Counsel
At a recent annual meeting of The Sedona Conference Working Group on Data Security and Privacy Liability, one key theme seemed to be on everyone's mind. During the sessions, which covered breach notification laws, litigation and other current issues impacting data privacy and security, the topic of data minimization came up again and again. While the practice of data minimization isn't exactly new, we're now seeing it resonate and discussed at the forefront of the legal industry for the first time.
The reason is that companies have never faced greater risk with respect to their data than they do today. The landscape is only growing more challenging and complex. Across the globe, stringent data protection laws have emerged, and several U.S. states are implementing legislation to introduce new regulations for how governments and businesses are permitted to handle personal data. Multinational corporations must navigate compliance requirements for the General Data Protection Regulation, China's Information Security Technology–Personal Information Security Specification and Cybersecurity Law, Brazil's General Data Privacy Law, the California Consumer Privacy Act, U.S. state-based breach notification laws and dozens of others.
The vector of risks introduced by data privacy laws grows exponentially when combined with cybersecurity threats, insider threats and potential theft of intellectual property and trade secrets. Since it's clear that the waters of data risk are going to be rough for the foreseeable future, corporations must start acting now to take steps that will narrow the scope of information they store. Data minimization is a critical strategy in that effort.
Data Past, Present and Future
Traditionally, many companies have taken a "save everything" approach. Often, simply because the company hasn't thought through its data retention needs. Others avoid deleting data out of a belief that saving everything can bolster big data insights and provide value, a lack of understanding about the risks or due to worry over spoliation.
With information technology's migration to the cloud, patterns in the "save everything" mentality have started to shift in recent years. Many organizations completed a healthy reduction of their overall data universe when they migrated. But as cloud reliance has grown, and new tools such as Slack and other collaboration platforms are adopted, data volumes are growing again at a rapid rate. These new data sources bring yet another element of risk. Within three to five years, organizations without a proactive data retention and deletion program are going to have an even larger problem on their hands than they did before cloud migration, with massive amounts of data resting across numerous third-party sources.
Minimize the Data, Minimize the Risk
Simply put, the greater the data footprint, the greater the risk. Some circumstances may justify data redundancy such as adequate backups or data that must be retained for regulatory or legal-hold purposes. As a best practice, anything outside of that scope—extra copies, legacy files and trivial information that is irrelevant to legal, compliance and business needs—should be minimized. Our teams have led extensive data breach response work, and time and again have encountered vastness of old and unnecessary data, including files with highly detailed personally identifiable information (PII), that continues to live on corporate email stores and computers. In many cases, legal teams are simply unaware that this data exists, and then are left scrambling to deal with the repercussions when a breach, privacy law violation, or litigation event occurs.
Counsel must recognize the important role data minimization efforts play in addressing risk. Below are steps legal teams can take to implement a data minimization plan and maintain a reasonable retention and deletion policy long term.
Understand your data: Organizations need to understand what data they have, where it lives and how it is protected. This is particularly critical for personally identifiable and personal health information (PHI) as well as IP and trade secret information. Counsel can work with outside digital forensic experts to conduct a data mining and forensic analysis exercise on the corporate data universe to locate all PII, PHI and other sensitive information. This insight will inform a data inventory and heat map that shows sources containing sensitive information and exceeding reasonable retention requirements, allowing informed and defensible deletion.
Collaborate with information security: Data breaches, cybersecurity incidents and data protection authority inquiries inevitably lead to investigations. In many cases, these investigations reveal gaps in IT and security practices and access control. Legal must partner closely with information security teams to narrow down the scope of individuals who have access to view, transfer, change or delete critical information.
Set up a retention schedule: Once the scope of data has been reduced across corporate information stores, a retention schedule should be implemented and automated to ensure data volumes don't get out of control again. Strategic conversations across key stakeholders should take place to determine what the organization does and does not need to keep and for how long, taking into account any statutory legal and regulatory obligations.
Balance minimization and analytics needs: The advent of GDPR introduced a new tension between requirements to keep only what is reasonably necessary, and the need to feed big data into AI and analytics tools. Counsel can work with executive leadership to determine the organization's risk tolerance level, which will guide where decisions about data use and storage fall on the spectrum between high risk and conservative. Minimization efforts can follow suit. Even for the few organizations that aren't impacted by data privacy laws, the broader matrix of cybersecurity, trade secret and litigation risk is enough to warrant data minimization as a priority. It may seem like an insurmountable task, but with the right experts guiding the process, counsel can get data volumes under control and ensure legacy and redundant data do not create problems for the organization now or in the future.
Sheryl Falk is a partner and co-leader of Winston & Strawn's Global Privacy and Data Security Task Force. Steve McNew is a senior managing director within the technology practice of FTI Consulting and is based in Houston. Daniel Roffman is a senior managing director at FTI Consulting in the computer forensics practice of the technology segment.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250