I’ve been waiting, and then it arrived, in a client’s updated Outside Counsel Guidelines: The Firm and its personnel or subcontractors shall not use any External Generative AI Tools in the performance of any services in relation to a Matter … or use External Generative AI Tools to generate any deliverable, document or content for [Client], regardless of the intended end use. No problem. We don’t use generative AI tools in our client work.  Don’t get me wrong – we’re not Luddites here, and I’m not dreading a Skynet singularity anytime soon.  We’re a law firm focused on Information Gov ..read more

As we watch the tsunami of state comprehensive consumer privacy laws now spreading from California across the U.S., it’s time to revisit the flood zone of state-level PII breach notification statutes, which also flowed forth from California back in 2002. By 2018 that wave had reached every state, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  Each state has its own unique approach. And the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications. Changes s ..read more

Well, turns out I was both right and wrong in my prediction from two years ago: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.” That prediction is indeed playing out, but far faster than I expected. Again, we’ve always known that managing data volumes is prudent for U.S. businesses.  But as a matter of pure legal compliance, U.S. federal and state laws have traditionally followed a “mandatory minimum” retention approach, requiring that businesses keep sp ..read more

We’re witnessing a “rapid, unscheduled disassembly” (thanks SpaceX) of comprehensive consumer privacy laws across the United States. While these new state laws generally have a different, sleeker structure than California’s CCPA/CPRA, they share a similar impact – each such law compels or motivates covered businesses to delete unnecessary data. Following California’s lead, comprehensive consumer privacy laws have now been enacted in Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), Utah (effective December 31, 2023), and Iowa (effec ..read more

Last month California finalized its updated regulations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). With the CPRA, California has upped the ante on requiring data retention schedules and disposal of unnecessary data. As always, to fully appreciate where we are, we need to remember from where we’ve come. With but rare exceptions, U.S. data privacy laws have not explicitly required data retention schedules, or data minimization (only collect data we need), or storage limitation (dispose of data when no longer needed). But this began ..read more

We’ve already seen how new FTC regulations for GLBA-regulated financial institutions require retention schedules and disposal of unnecessary data as essential data security controls. The FTC is now also taking that position for all businesses under Section 5 of the FTC Act, as seen in a slew of recent FTC data security enforcement actions. Two years ago I summarized the history of FTC enforcement on this issue. For decades the FTC has enforced reasonable data security under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commer ..read more

The FTC has updated its data security regulations for the financial institutions it regulates under the Gramm-Leach-Bliley Act (GLBA). The FTC’s revised requirements for information security programs, effective June 1, 2023, will now mandate data retention policies and disposal of unnecessary customer information. To appreciate what this means, we must take a quick look at how we got here. GLBA, enacted back in 1999, required financial institution regulators to establish standards for safeguarding the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The reg ..read more

As mentioned in the initial post in this series, data security laws are emerging with explicit requirements to dispose of unnecessary data. But will regulators take this seriously? The 2022 enforcement actions against EyeMed Vision Care LLC provide $ 5.1 million reasons to conclude yes. First, some context. Carefully managing data retention and disposal is one of the most effective security safeguards for any business. You can’t have a breach of data your business no longer retains, right? But U.S. state laws mandating reasonable data security for personally identifiable information (PII ..read more

It’s once again time for a summary round-up for the puzzling array of state PII breach notification laws. Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold ..read more

In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements: State statutes on PII data security and data disposal in Alabama, Colorado, New Mexico, New York, Oregon, and Rhode Island now require that PII be disposed of when no longer required by retention laws or otherwise needed for business purposes. New York’s DFS cybersecurity regulations now require DFS-regulated financial services businesses to have ..read more