It is an unfortunate truism that we can often learn from the misfortunes of others, and this is certainly true with respect to privacy breaches.
Beyond the need for increasingly robust security safeguards, recent media coverage of a number of high-profile privacy breaches offer another ready lesson for corporations that collect and store personal information: information that is not retained cannot be the subject of a data breach.
In one recent breach, the victim of a possible data theft noted that records provided to a vendor were apparently not destroyed, although the outsourcing organization believed that they had been. It was these records that were the subject of data theft by an unknown hacker. In another recent breach case, information was stolen from an internal database of customer information that was no longer being used.
Any data breach is a matter of great concern, but situations like these are particularly tragic as they are entirely avoidable.
Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased or made anonymous. Each of the federal Personal Information Protection and Electronic Documents Act, the Alberta Personal Information Protection Act, and the British Columbia Personal Information Protection Act explicitly require such limited retention and eventual destruction.
When outsourcing work that involves providing personal information to a third party, most companies now include requirements in the outsourcing contract that the third party return or destroy the data in question once the work is completed – but how many companies follow up at the conclusion of a contract to ensure that this actually occurs? A range of options are open to outsourcers to help ensure that vendors follow through on these commitments, ranging from requests for confirmation of destruction to audits of the vendor facilities.
However, retention of personal information that is no longer required is not limited to third party vendors: many corporations maintain stale and unused internal databases of personal information. Sometimes this data is deliberately retained “just in case” it may later prove useful for marketing purposes; sometimes it is retained simply because no one bothered to erase or destroy it. Moreover, since it is not being used, such databases may not receive the same ongoing security scrutiny of more active files. Retention of such data creates an entirely avoidable data breach risk.
This is not to say that no data can be retained; to the contrary, there are many legitimate reasons to retain personal information, such as to avoid repudiation of purchases or service orders, to provide convenience to repeat customers and to meet legal requirements, such as statutorily-mandated retention of data or compliance with limitation periods. The trick is to keep only the data for which an organization has a real business or legal need.
All businesses that collect and retain such information should develop – and implement - a comprehensive data retention policy, setting out clearly justifiable retention periods for various data elements and mandating destruction after the expiry of these periods. Indeed, Canadian privacy laws require it.
Companies face enough challenges today in safeguarding personal information; it only make sense to minimize potential exposure to data breaches, or other misuse of personal information, by limiting retention of data.