George Tziahanas:
Hello and welcome to Archive 360's podcast this week. I'm George Tziahanas, I'm the VP of Compliance at Archive 360. We're fortunate to have Joe Shepley, from Alvarez & Marsal on the podcast to discuss data disposition and deletion. Is it not only an option or is it actually required? So with that, Joe, thank you very much for taking time out of your schedule to join us. Why don't you give maybe a minute or two on background and talk a little bit about your practice?
Joe Shepley:
Absolutely. Thanks, George, for having me, by the way. If you know me, you know that I'm passionate about this topic, so always excited to get a chance to share a little bit of my experience and my knowledge. So, I've been involved in information governance for 24, 25 years. I spent about eight years on the other side of the table working at organizations in IT, and then in about 2008 went into consulting and have been working on information governance, records, and information management, data privacy, ever since.
Early stages, we used to call it enterprise content management, ECM. I don't think anybody even uses that term anymore, but it was a lot of digital transformation type work. And as you said, is this a nice to have or is it required? Starting in about 2016 with the passage of the GDPR in Europe, keeping data after you no longer have a legal obligation or a legal purpose to use it, has become increasingly problematic and increasingly risky for firms.
So maybe seven, eight years ago, my practice really shifted from more of a digital transformation, getting value out of content, to much more of a, "Gosh, when this data is past its useful life, we're really taking on increasing risk by the day," and the value of the content is lower or maybe gone. It seems like each year we've got California CPRA, we've got 23 New York CRR, Part 500, New York DFS. We've got FTC getting involved, we've got HIPAA enforcement. And so really, been an exciting time to be helping companies think about what data they have, whether they should have it, and figure out how they can get rid of it. So, really excited to chat more with you today about what I'm seeing.
George Tziahanas:
Great, and I think we're going to start breaking some of those down as well, but I think I wanted to start in this area of, historically, we were at a point where you had a retention schedule, you were able to dispose of data after some period of time. Maybe your policy said that you did, but oftentimes it really just didn't happen. Is that also your experience?
Joe Shepley:
100%. It's gotten maybe a little bit better, but honestly, I feel like you could go to any ARMA, IAPP, whatever conference, and if you asked by a show of hands the people in the audience, "How many of your organizations are systematically deleting data when it's passed that's legal life or the time period of the retention schedule?" In a room of a hundred people, you might get three or four hands up, and then if you give them a follow up and say, "Every system, share drives, email?" And then all of a sudden the hands kind of sheepishly go down.
So honestly, the vast majority of organizations out there, even if they have a retention schedule, even if they're subject to the GDPR, to California CPRA, or to New York DFS, even though they've got policies that say that they're doing it, my experience has been that there are very, very few firms doing this in any way, let alone to the extent they would need you to really be fully compliant.
George Tziahanas:
Yeah, so now, we've kind of moved from this world where I'd say that everybody wanted to do it, they had policies around doing it, and you've been talking about this in writing a little bit about this is, now, it's really, "You shall do this," right? And I think you've mentioned somewhere in one of the material that it took a look at was, "Is it illegal not to, at this point, delete data?"
Joe Shepley:
Well, so I'm not a lawyer. So when I'm speaking loosely, I would say, yeah. I mean, there's a bunch of regulations that say you have to be doing it. So, we'll leave it to the lawyers whether we would actually call it illegal. But George, here's the thing that's changed, and I think it's created at an inflection point. So if you're subject to what we'll call New York DFS Part 500, there's a couple of sentences in it, 500.13, which says that basically any non-public information, which would be corporate data, whether it's personal information, financial information, whatever it is, non-public data, you have to get rid of it when you no longer have a legal obligation to keep it.
And the problem here is that every April 15th, your Chief Information Security Officer, as well as any of the CEOs of any regulated entities at the organization subject to New York DFS Part 500, have to attest whether they're following it or not. And so, here's the thing that's really ... Whether it's legal or illegal, what is a no-no is for a CISOs, for corporate officers to attest that they're following New York DFS Part 500. And not to mention, oh, by the way, we're not really compliant with 500.13, because it turns out we aren't deleting our non-public information systematically when we no longer have a legal obligation.
So just this past April 15th, if you're at an organization listening to us today, and you're subject to New York DFS, and your CISO and the CEOs of irregulated entities attested that you're following New York DFS Part 500 and didn't asterisk the fact that, "Well, we're not deleting data. We're in the process," they haven't asterisk that somehow and just said that you are, well, gosh, that's a real problem. Because if you have a breach, and it turns out that data involved in that breach was over retained, and it turned out that officers of the company that attested that we were getting rid of that data, that's bad.
Then similarly, California, George, CPRA requires that for every kind of sensitive personal information that an organization collects about California citizens, that it puts on their publicly facing privacy notice for each one, biometric data, precise geolocation, health data, whatever it might be, how long they intend to keep it, and they're representing that when that time period is over, that they dispose of it. Even though you don't have to give a specific time period, you can say the method by which you determine the retention. You could reference all sorts of things like, unless it's on legal hold, or unless we have a preservation obligation, and so on. The fact is, whatever you say you're doing, you have to be doing. And the fact is that vast majority of firms, regardless of having a retention schedule, regardless of the purpose for which they've collected the data, regardless of whether it's on legal hold or not, they're keeping everything forever.
And so, making that representation on your website publicly facing, again, not a lawyer, but that's problematical. Because you're representing to consumers, and others, and regulators that you're following your retention schedule, that when things aren't on legal hold, you're getting rid of them when you no longer have a purpose to have them. And the fact is the vast majority of folks aren't. So, whether we would call that illegal or not, it's certainly reached an inflection point because there's a very public representation representations required of many Fortune 1000 firms that they're doing disposition. And if you're not, boy, that really can put you in hot water, both personally as an executive who's making these representations as well as a firm or an organization.
George Tziahanas:
Yeah, and I was being a little bit tongue and cheek on the whole, "Is it illegal or not?" But what we definitely do see is these affirmative obligations are there. These are affirmative obligations. I think more importantly, the regulators are taking notice of them, to your point. And this has come up a couple of times and in your references briefly in the context of cyber incidents, and that's where a number of firms have realized, and so of the regulators for that matter, that data wasn't deleted.
Joe Shepley:
Yup, and that's really where we're seeing it. So we're not seeing a lot of proactive, like California going after firms like, "Hey, are you deleting data?" And again, the enforcement on CPRA, which is kind of CCPA 2.0, it's where this obligation to represent on the website, how long you're keeping data, and really make the representation that you're getting rid of it. This is newer, and the enforcement was just put into place February-ish. So, we haven't seen them going after folks yet. But George, you've put your finger on it. Cyber is really ... It's in the aftermath of a breach that the sharks are circling. So, you'll get the California AG concerned about what data you had in the event of a breach. And did the data breach uncover problems with how you're operationalizing privacy compliance? And then we're also seeing New York DFS does a similar thing that if there's been a breach, and for example, you've got laptops that had client data on it, and they weren't purged properly, we're seeing seven, eight figure fines.
The third entity that gets involved, the third shark in the water, no offense, is FTC. Their position is becoming, "Okay, so if you've put on your publicly facing privacy notice that you get rid of all this really, really sensitive data from consumers and customers when you no longer have a reason to have it and you don't, and there's a breach, and it gets breached," they view that as a deceptive trade practice. Because, "Hey, I went to the site. I like the fact that you've got these data policies. I feel safe giving you my data, precise geolocation, biometric data, and you're not doing what you said you did." And similarly with the New York DFS, I can go to decide if I want to bank with Bank A or Bank B, and I can look at their representations, their attestation about their cyber posture, and, "Okay, I feel good about that company. They're not keeping my data too long. They've got multi-factor authentication," whatever aspects of New York DFS Part 500, that gives you confidence in banking or being a customer.
And then if they're not living up to that, again, we're starting to see the FTC be like the third shark in the water saying, "That's deceptive trade practices. The consumer has every reason to believe you're following your policies, because that's what companies do. And if you're not, and if the fact that you didn't follow those policies in the event of a breach leads to damage to the consumer because their data went missing, no-no," right? So again, all that's coming together, and making this something that is like ... It used to be the third or fourth most important thing, priority, and numbers one through two or one through three would change, so no one ever got to it. This is becoming more and more organizations, it's a board-level priority, and the board is asking the CISO, the board is asking General Counsel or the Chief Privacy Officer, "Where are we at with retention and deletion of data?" So it's kind of a once in a career time that I never thought I'd see the day where firms are taking this seriously and they'd actually start to clean up their data. It's an exciting time to be in this space.
George Tziahanas:
It's interesting. If you look at the DFS regs, and you look at the CPRA, and the equivalents, they're coming at the problem from two different kind of worlds, one from a privacy world, one from a security and a compliance world. But the reality is there's a lot of commonality and overlapping requirements here.
Joe Shepley:
There are, and it's funny, I was just talking with someone about the Information Governance Reference model, and the newer version of it separates cyber and privacy. But for a long time, cyber and privacy were almost synonyms. So it was kind of like people of them as having a real Venn Diagram overlap when they often were under the same umbrella. So, even though today we think of them as separate, they do have this common provenance, but there are a lot of similarities in these rules. And what it really comes down to, George, is what is my obligation for retaining this data? Or what is my obligation ... So, what's the time period for which I'm required to hold the data for as long as, or I'm required to keep it no longer than? And the first one, how long am I required to keep the data is a really traditional records question. How long do you keep an invoice? How long do you keep a PO? How long do you keep employee files after separation, or whatever?
The second one, there's a time period beyond which I shouldn't be keeping this data has really been kind of the provenance of privacy. So you think about things like precise geolocation, driving data from a connected vehicle, biometric data, children's data, voice recordings of your kids on a smart speaker. Privacy is often concerned not with how long you should keep it, but boy, you better not keep it longer than, because people have an expectation that that very, very, very sensitive data will only be used for the purpose for which it's collected, like to help me navigate to a hospital. And then, you won't keep it longer or sell it to someone, and that sort of thing. But what overlaps between New York DFS, the GDPR, CPRA, even things like HIPAA is what's the data, what's my legal obligations around the retention and disposal of it, and then demonstrating that I do that on a regular basis systematically and consistently.
And so honestly, if as an organization, you know what data you have, you have a good sense and have documented the legal requirements for either retaining it or no longer retaining it, and you've got a consistent process for evaluating any given data set, what is this data? What's my obligation to retain? If it's past that obligation, is there any kind of a preservation obligation, like a lawsuit, or a regulatory inquiry, or contract term that requires me to hold it? If not, I delete it. And being able to have a repeatable, consistent, demonstrable process to do that, even if it only gets you to 70% of your data, or 80% of your data, or 50% of your data, because it's a journey, that would substantially reduce not only the risk that data poses, because you're getting rid of it, but also would increase the chances that a regulatory action, whether it's before or after a breach, whatever it might be, will go much better for your organization, because you've got that in place.
George Tziahanas:
As we look to wrap up here today, I just wanted to get one final thought from you, which is ... So, I think we have a sense for where companies are and enterprises are on this journey. Where do you suggest that they go here and some near term recommendations for them as they look to navigate this?
Joe Shepley:
Yeah, I think the most important thing, the two things that without these two things, we might as well pack up our marbles and go home. One is the organization has to approach this from a very traditional information governance program perspective. So this isn't an IT project to clean up some servers. It's not a privacy thing, it's not a records management thing. It's, if you look at the Information Governance Reference Model, that circle with all the different roles on it, that's literally the people that have to be sitting around the table in order to make good decisions and get this moving forwards. So without that, very difficult to make progress. But it's the CIO's thing, and that's her job, or whatever. This is an enterprise information governance initiative to solve this problem.
Second, figuring out where the accountability is for this is really critical because a lot of organizations push the accountability for data retention and cleanup onto the business. And the fact is, in the real world when there's a breach, and data's been over retained, and it's gone missing, it's been ex-filtrated, whoever has to fly to Sacramento, or to go downtown to the financial district to talk to DFS, or go to Washington to talk to the FTC or the Office of Civil Rights, the executive who's going to be on the hook for the fallout is the one who needs to be accountable for this happening. Because what happens is we put the accountability on the end users and they know that they're not getting on that plane, and so they don't do it. But for example, your General Counsel, she is going to be getting on a plane if there's a significant breach of private data, of personal information that's been over retained. So she needs to take that accountability and lead that information governance program to get it done. If you get those two things in place, the rest of it, while difficult, is doable and very straightforward. Without those two things in place, boy, a lot of that other work that you do can really be wasted because it's hard to make progress.
George Tziahanas:
Well, great. Joe, thanks very much for taking time with us today. It was very insightful and helpful, I think, to our customers and the broader community here that we serve. If people have follow-up questions and want to get in touch with you, how best to do so?
Joe Shepley:
The best way to do it is to hit me up on LinkedIn. I've got my email on there. I've got my cell phone. I really love connecting. I really love talking about this stuff, and I'm pretty active out in industry, so I would love to connect with anybody who wants to talk more about this stuff and just kind of geek out. I love it.
George Tziahanas:
Awesome. Well, thank you very much, and if you want to get in touch with me, it's GeorgeT@Archive360.com. And you can see all kinds of other material that we have available at Archive 360, where this podcast will also be published. Thank you very much.
Joe Shepley:
Thanks, George.
.png)
