As discussed in Tuesday’s post, in addition to taking reasonable precautions to secure data, companies should consider whether they have an affirmative duty to destroy data in the United States – to clear the explosives out of the shed, so to speak.
Contractual duties to destroy records have been in existence since judges wore powdered wigs. For example, in M&A transactions, if after due diligence a company decides not to proceed with an acquisition, typically the purchaser must return or destroy any confidential data that was obtained. The same is true in vendor agreements involving proprietary processes and methods. But there may be another, less obvious source of a contractual duty to destroy records. Every company with employees necessarily maintains confidential data from employment applications, background checks, personnel files, payroll records, health insurance records, marital orders, collections orders, and compliance with subpoenas regarding individual employees, etc. Businesses frequently make representations to and agreements with prospective and current employees regarding how they will treat their confidential information, and those representations may give rise to conflicting interpretations after an employee has separated from the company.
Every company should review its employment application solicitation representations and employee handbooks for statements that expressly or implicitly fix an end date to the company’s document retention periods (“we will keep your application on file for one year, after that you will need to re-apply”), or for statements that impose an obligation to take “reasonable” care to ensure the privacy of confidential data. An employee’s understanding of the term “reasonable” may potentially include the understanding that confidential records will not be kept by the company for a period longer than necessary to defend a lawsuit regarding the employee’s employment performance. For example, if you last worked for a company 10 years ago, would it surprise you to learn that your complete personnel file is still sitting in a mini-storage unit rented by the company? Would you be troubled to learn that the company still had a copy of an investigator’s background report, including your residence history, social security number, neighbor’s comments, salary history, divorce records, and credit reports? What if you were the subject of a meritless harassment complaint, and were never told because the company was previously planning to change your office location and simply accelerated your move as a response to the complaint? Could you be harmed if the information in those confidential files was made public? What the courts may construe today as the reasonable expectation of the parties regarding the length of time confidential files should be kept may differ from what one of the parties subjectively expected at the time.
A discrete statutory duty to destroy data may also exist. For example, health care institutions often address compulsory document destruction requirements under HIPAA, including standards relating to the manner of data destruction, and the number of degaussing passes required and/or level of physical destruction necessary before an electronic document can be deemed destroyed. There can be other state and federal requirements that expressly require document destruction, in surprising contexts.
A third potential duty to destroy documents is worth considering. When a data breach occurs, the company whose records were exposed can expect to be sued by a variety of persons and entities, including state attorneys general, class action lawyers representing victims of the breach, banks and insurers who have paid damages for losses, and/or disgruntled investors who take umbrage with the quality of the company’s data privacy practices. Discovery regarding the breach likely will first revolve around the nature of the breach, the steps the company took to secure and control access to the records, and the reasonableness of the company’s policies and practices regarding data privacy. But for older documents, one question is inevitably going to be asked: Why did the company even have those records at that point in time? If the answer falls short of common industry practices, contravenes a representation in the employee handbook, runs afoul of some then-existing judicial decision, or simply fails to account for the reasonable expectations of the pertinent parties, the company may have difficulty defending its failure to timely destroy the records that were exposed.
Data breach class actions typically allege violations of state unfair business practice and consumer protection laws (in addition to statutory notice, negligence, breach of contract, conversion, and esoteric claims). That is no accident; unfair business practice standards for liability are often nebulous and ill-suited for summary resolution. In 2015, a California consumer protection advocacy group filed a complaint with the Federal Trade Commission against Google. In that complaint, the group argued that Google’s refusal to recognize in the U.S. the “right to be forgotten” that is codified in the EU constitutes an unfair business practice in the U.S. The complainant cited Section 5 of the Federal Trade Act (prohibiting unfair business practices). It is not a great stretch to imagine a similar claim being filed by plaintiffs placed at risk by a company’s failure to timely destroy–not merely secure–old records. There may be no legal precedent for such a claim, but what company wants to become that precedent by suffering a data breach involving old documents that the company no longer needs?
Alfred Nobel’s patented method for combining diatomaceous earth with nitroglycerin made the nineteenth century explosives shed a less dangerous place to be. But nitroglycerin in any form becomes less stable –and far more dangerous—as it ages. Perhaps we should extend the analogy to old company documents, and take some time to clear the old explosives out of the company shed.