Morgan Stanley’s recent payment of $60M to settle a civil proceeding for failing to properly dispose of customer data is a reminder of the importance of knowing applicable data disposal laws and drafting appropriate data destruction clauses in technology agreements.
Sources of Obligations
The sources of obligations to destroy or dispose of personal data are myriad. Direct and indirect federal requirements include the Gramm-Leach-Bliley (“GLB”) Interagency Guidelines Establishing Information Security Standards, the GLB Safeguards Rule, the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, the HIPAA Security Rule, and the Fair and Accurate Credit Transactions Act Disposal Rule. Unfair and deceptive acts and practices laws, both federal and state, may also apply. In addition, at least 35 states have unique data disposal laws.
Common law negligence, invasion of privacy, and unjust enrichment are just a few other claims that may be brought against companies failing to properly destroy personal information. And, apart from these requirements, technology agreements typically include provisions requiring deletion or return of confidential information.
The data disposal requirements are not simple or easy to navigate, either. Numerous companies besides Morgan Stanley have suffered lapses, including, for example, American United Mortgage Company, Cornell Prescription Pharmacy, FileFax, CVS Pharmacy, Searchtec, Home Depot, and RadioShack.
Data Destruction Tips for Technology Customers
That said, for customers contracting for technology services or products that require the use or availability of personal data, several steps are available to reduce data disposal risks.
- Know what personal information destruction and disposal laws apply. Must the destruction efforts be reasonable or must the data be rendered unreadable or undecipherable? Must the data also be unusable?
- Include agreement provisions requiring the vendor to destroy (or return) the data upon request and, in all cases, upon termination or expiration of the agreement. Add that, upon request, the vendor certify or acknowledge the destruction. Follow through on this requirement.
- Contractually require the vendor to qualitatively destroy the information so that it is permanently irretrievable, unreadable, inaccessible, and indecipherable. Mandate that paper media be shredded, disintegrated, incinerated, pulverized, or pulped.
Contractually specify the method of data destruction, particularly if the data media may be reused. For example, obligate the vendor to wipe the data using U.S. Department of Defense (DoD) 5220.22-M standard or to clear, purge, or destroy the media according to NIST Special Publication 800-88.
- Include in the contract a right to audit the vendor’s data disposal or destruction and ensure that the vendor’s obligation to establish and implement reasonable security measures aligns with the data destruction requirements.
Data Disposal Tips for Technology Vendors
For technology vendors, which may also have legal obligations to destroy or dispose of data, contractual and operational mitigations also exist.
- Before contracting, know the personal information destruction and disposal laws that apply. For example, is the vendor a business associate under HIPAA?
- Proactively include language in the agreement permitting vendor destruction or disposal of the data.
- Utilize best industry practices to destroy or erase the data – even if the technology agreement does not require it.
- Segregate each customer’s personal data from other customers’ data, to facilitate discrete and expedient destruction or disposal.
These mitigations for technology customers and vendors are even more important, given the volume and dynamic nature of data destruction and disposal requirements and corresponding challenges for these companies.