Data security and consumer privacy have been “hot” legal topics for several years. A newly emerging trend in both areas is the idea of “data minimization.” As currently defined, data minimization is the idea that a business should only keep on hand information that it currently needs and/or is using. That is, personal information no longer needed should be deleted. This is the position of the Federal Trade Commission (“FTC”) which recently brought actions against a Utah company that failed to delete obsolete data and failed to have reasonable cybersecurity in general. See In re: Matter of INFOTRAX Systems, L.C., Case No. FTC 1623130.

Note that the FTC also brought action personally against the owner and the former CEO, Mark Rawlins. Rawlins was targeted because the facts showed that he personally reviewed and approved InfoTrax’s information technology and cybersecurity policies, was regularly and personally involved in discussions with clients about data security, and was involved in the company’s long-term data security strategy. Under these types of circumstances, the FTC typically will bring actions against the responsible owners and/or senior management. As such, owners and senior management should have a personal vested interest in complying with FTC regulations about data security. Retaining an experienced San Diego corporate attorney can help ensure that your San Diego business is in compliance with the FTC regulations with respect to cybersecurity and data protection.

As noted, the newly emerging trend is to require deletion of personal data that is no longer needed by using a secured method. To accomplish this task, three steps may be considered:

• Mapping the currently existing data
• Identifying which data is currently being used or could be reasonably expected to be used in the near future, and
• Using proper cyber tools to effectively, permanently, and securely delete obsolete data

The FTC’s position is that various software and computer system tools are easily available in the marketplace that make these tasks reasonably low cost and low burden. In general, low-cost solutions will be required given that data and privacy protections are of high priority.

As part of the proposed settlement with the FTC, InfoTrax is prohibited from collecting, selling, sharing, or storing personal information unless it implements an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.

InfoTrax is in the business of operating the major aspects of various websites owned by its various clients. These websites are “portals” for the clients’ distributors and customers. In general, the clients register with layers of markets and manufacturers providing a significant amount of information about customers and what the customers want in terms of end-products. Among the personal data is names, addresses, email addresses, dates of birth, telephone numbers, social security and other identifying numbers, credit card and other payment information including expiration dates and security codes, bank account information with passcodes, and more. According to the FTC, as of September 2016, InfoTrax had stored personal data for approximately 11.8 million consumers.

Among the many failures charged by the FTC, InfoTrax was accused of failing to “… have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary.” The data on the InfoTrax system was upwards of 10 years old and included data on clients and customers who had not done business with InfoTrax clients for several years. Essentially, the FTC required that such data be deleted. Such data breaches and lax data security is considered by the FTC to constitute unfair acts or practices affecting interstate commerce in violation of the Federal Trade Commission Act. See 15 U.S.C § 45(a).

Contact San Diego Corporate Law Today

For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard has been named a “Rising Star” for four years running by SuperLawyers.com. Mr. Leonard provides a full panoply of legal services for businesses and proudly serves the San Diego business community. Like us on Facebook.

You Might Also Like:

Data Breaches and Data Protection for San Diego Businesses

Employees are a Huge Threat to Your Data

Due Diligence and Selling/Buying a Business: Data Breach Disclosures

Protect Your Business from Data Security Breaches

Consumer Privacy Act: Could the Courts Expand the Private Right of Action Under the CCPA?