Visit the remains of a nineteenth century gold mine and you may find, far away from the main camp, a lonely little shack. It may be surrounded by trees, or tucked into the crook of a hillside, but it has a distinctly unwelcoming demeanor, as if the building itself wishes to be left alone. This is the explosives shed, and when the mine was operational, it would have been marked by signs with large letters, secured with a lock, and it would have been off limits to all but a few personnel. The need to secure this essential component of the business was obvious; the shed’s contents could shut down the mining operation with a single misstep. Equally obvious is that the shed now stands empty, because removing old explosives the only 100% effective way to prevent a future disaster.
There is a modern equivalent lurking in the data storage facilities of nearly every business. And, while a misstep in the storage of confidential data may not cause immediate physical harm, it still has the ability to shut down the business. As a result, modern companies spend substantial sums ensuring that confidential records are isolated, secured, and generally off limits to all but a few personnel.
In the past two decades, as electronic means of communication supplanted physical ones, lawyers and courts became more attuned to the needs to, first, retain and not destroy records, and, second, to secure retained company records from unauthorized access and disclosure. With the 2018 application (in the European Union) of the General Data Protection Regulation (GDPR) on the near horizon, companies should consider whether there is in the United States not merely a duty to take reasonable precautions to secure data, but an affirmative duty to destroy data as well – to clear the explosives out of the shed, so to speak.
The GDPR contains express obligations to destroy certain forms of data (see, e.g., Preamble 39, 65-66; Articles 5(1)(e), 17) (sometimes called “the right to be forgotten”). As Article 17 provides, a company “shall have the obligation to erase personal data without undue delay where…the personal data are no longer necessary in relation to the purposes for which they were collected.” As of today, there is no U.S. statutory analog to the GDPR. But a U.S. company may nevertheless have an obligation to destroy domestic records. Such a duty may arise from contract, from discrete existing state or federal laws, or, importantly, from the need to ensure an adequate defense to unfair business practice and consumer protection claims.
In Part Two of this post, we will examine the affirmative legal obligations to destroy data under U.S. law.