Data breaches are a serious threat to any business that collects, stores or processes personal data of customers, employees, or other parties. Data breaches can result in financial losses, reputational damage, legal consequences, and regulatory fines. One of the factors that can affect the severity of these outcomes is the retention period of the data breached.

Retention period refers to the length of time a business keeps personal data before deleting or destroying it. Retention periods are often determined by various laws and regulations that apply to different types of data and industries, the purpose and legal basis of the data processing, and different jurisdictions. For example, the General Data Protection Regulation (GDPR) in the European Union requires businesses to keep personal data only for as long as necessary for the purposes for which it was collected or processed and to delete or anonymize it afterward. Other regulations may specify minimum or maximum retention periods for certain categories of data, such as tax records, health records, or financial records.

Impact and Liability

The retention period of the breached data can impact the business liability in several ways. First, it can affect the number and identity of the data subjects whose data is compromised. The longer the retention period, the more data subjects will likely be affected by the breach and the more diverse and sensitive their data may be. This can increase the risk of identity theft, fraud, discrimination, or other harms to the data subjects and, consequently, the potential claims and lawsuits against the business.

Second, it can affect the compliance status of the business with respect to the applicable laws and regulations. The shorter the retention period, the more likely the business is to comply with the data protection principles and obligations under the relevant legal frameworks. This can reduce the risk of regulatory investigations, sanctions, or penalties for the business. On the other hand, if the business retains data longer than necessary or permitted by law, it may violate the data protection rules and face additional liability for non-compliance.

Third, it can affect the reputation and trustworthiness of the business in the eyes of its customers, partners, and stakeholders. The shorter the retention period, the more likely the business is to demonstrate respect for the privacy and security of its data subjects and its commitment to minimizing its data footprint and exposure. This can enhance the reputation and loyalty of the business in the market and society. Conversely, if the business retains data longer than needed or allowed by law, it may appear careless, irresponsible, or greedy with its data practices and lose its credibility and goodwill.

Examples of Impact of Data Breaches

In 2017, Equifax, one of the largest credit reporting agencies in the US, suffered a massive data breach that exposed the personal information of 147 million people, including names, social security numbers, birth dates, addresses, and driver's license numbers. The breach occurred because Equifax failed to patch a known vulnerability in its web application for months. Equifax also kept some of this data for longer than necessary or required by law. As a result of this breach, Equifax faced multiple lawsuits from consumers and regulators, as well as a loss of trust and reputation in its industry. In 2019, Equifax agreed to pay up to $700 million to settle a class action lawsuit and investigations by federal and state authorities in the US.

In 2018, Marriott International, one of the largest hotel chains in the world, disclosed a data breach that affected up to 500 million guests who had stayed at its Starwood properties since 2014. The breach involved unauthorized access to a database that contained names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. The breach occurred because Marriott failed to secure its systems after acquiring Starwood in 2016. Marriott also kept some of this data for longer than necessary or required by law. As a result of this breach, Marriott faced lawsuits from customers and regulators in several countries, as well as a fine of £18.4 million from the UK Information Commissioner's Office (ICO) for violating the GDPR. One factor contributing to the severity of the breach and the fine was that Marriott failed to apply appropriate data retention periods and kept customer information longer than necessary.

In 2020, Twitter experienced a coordinated social engineering attack that compromised 130 high-profile accounts belonging to celebrities, politicians, businesses, and organizations. The attackers used these accounts to post fraudulent messages soliciting bitcoin donations from unsuspecting followers. The attack occurred because Twitter employees were tricked into giving away their credentials to hackers who posed as IT support staff. Twitter also kept some of this data for longer than necessary or required by law. As a result of this attack, Twitter faced multiple investigations from authorities and regulators, as well as a loss of trust and reputation in its platform.

Recommended Best Practices

1. Complying with the relevant laws and regulations that specify minimum or maximum retention periods for certain types of data or sectors. For example, in the EU, the General Data Protection Regulation (GDPR) requires data to be stored for the shortest time possible, unless there are specific legal obligations or public interest reasons to keep it longer. The GDPR also allows national laws to implement more specific rules on data retention periods, such as the German Federal Data Protection Act (BDSG) or the UK Data Protection Act 2018. In addition, there may be sector-specific laws that regulate data retention periods, such as the ePrivacy Regulation (if it enters into force), the TTDSG in Germany for electronic communication, or the CPRA in California for consumer privacy rights.

2. Establishing clear and transparent policies and procedures for data retention periods and communicating them to data subjects and other stakeholders. Businesses should inform data subjects about how long they keep their personal data or the criteria they use to determine retention periods, as well as their rights to access, rectify, erase, restrict, or object to the processing of their data. Businesses should also document their data retention policies and procedures internally and review them regularly to ensure they are up-to-date and consistent with their legal obligations and business needs.

3. Applying data minimization and pseudonymization techniques to reduce the amount and identifiability of the data that is stored and processed. Data minimization means that businesses should only collect and process the data that is necessary and relevant for their specific purposes, and not keep it longer than needed. Pseudonymization means that businesses should replace direct identifiers (such as names or email addresses) with indirect identifiers (such as codes or tokens) that cannot be linked back to the original data without additional information. These techniques can help businesses limit their exposure and liability in case of a data breach, as well as enhance their data security and privacy by design. To apply these techniques, businesses can use various methods and tools, such as:

   1. Data mapping: This involves identifying and documenting the types, sources, locations, flows, uses, and recipients of personal data within an organization. Data mapping can help businesses understand what data they have, why they have it, where they store it, how they process it, who they share it with, and how long they keep it. Data mapping can also help businesses identify any unnecessary or excessive data collection or processing activities that can be eliminated or reduced.

   2. Data protection impact assessment (DPIA): This is a process that helps businesses assess the potential risks and impacts of their data processing activities on the rights and freedoms of data subjects. A DPIA can help businesses identify any privacy risks that may arise from their data processing activities, such as unauthorized access, disclosure, alteration, loss, or destruction of personal data. A DPIA can also help businesses determine the appropriate measures to mitigate or avoid these risks, such as applying data minimization and pseudonymization techniques.

   3. Data masking: This is a technique that involves replacing sensitive or confidential information with fictitious or random data that looks realistic but has no meaning or value. Data masking can help businesses protect personal data from unauthorized access or disclosure during development, testing, analysis, or reporting activities. Data masking can be applied at different levels of granularity, such as field-level masking (replacing individual fields with fake values), record-level masking (replacing entire records with fake values), or table-level masking (replacing entire tables with fake values).

   4. Data encryption: This is a technique that involves transforming plain text information into unreadable cipher text information using a secret key. Data encryption can help businesses protect personal data from unauthorized access or disclosure during storage or transmission activities. Data encryption can be applied at different levels of granularity, such as file-level encryption (encrypting individual files), disk-level encryption (encrypting entire disks), or network-level encryption (encrypting entire networks).

   5. Data tokenization: This is a technique that involves replacing sensitive or confidential information with non-sensitive tokens that have no intrinsic value or meaning. Data tokenization can help businesses protect personal data from unauthorized access or disclosure during processing or sharing activities. Data tokenization can be applied at different levels of granularity, such as character-level tokenization (replacing individual characters with tokens), word-level tokenization (replacing individual words with tokens), or sentence-level tokenization (replacing entire sentences with tokens).

4. Deleting or anonymizing personal data when it is no longer needed or when requested by data subjects. Deleting means that businesses should erase personal data from their systems and devices in a secure and irreversible way, so that it cannot be recovered or restored. Anonymizing means that businesses should remove any information that can identify or link back to a data subject, either directly or indirectly, so that the data cannot be considered personal anymore. These actions can help businesses comply with their legal obligations and respect the rights of data subjects, as well as reduce their storage costs and risks.

5. Conducting regular audits and assessments of their data retention practices and compliance status. Businesses should monitor and evaluate their data retention policies and procedures, as well as their actual data storage and processing activities, to identify any gaps or risks that may arise. Businesses should also conduct periodic audits and assessments of their data retention practices by internal or external experts, such as auditors, consultants, lawyers, or regulators. These measures can help businesses ensure that they are following the best practices and standards for data retention periods, as well as detect and prevent any potential breaches or violations.

Conclusion

Retention periods are an important aspect of data protection that businesses should consider carefully when designing their data policies and procedures. By adopting appropriate retention periods that comply with the legal requirements and reflect the legitimate purposes and needs of the business and its data subjects, businesses can reduce their liability from data breaches and improve their performance and reputation.