Electronic Data Retention Regulations

Electronic data has been growing in size and proportion for several decades. The sheer amount of electronic files (e.g., emails, pictures, videos) has consumed local and remote databases. The cloud storage facilities have been put together to hold this information for us. Cloud storage facilities have certain obligations towards their customers which include secure storage of electronic files by using industry-approved protocols. The rules for proper storage should not change based on the particular industry. In fact, the cloud storage facilities are supposed to use similar protection measures for all electronic files – e.g., encryption – to ensure safety.

Encryption is a tool or resource that allows the files to be scrambled and hidden from plain sight. The encrypted data is called “ciphertext” which can only be decrypted with the right key. There are two types of encryption. First, is symmetric encryption. Second, is asymmetric encryption. Symmetric encryption uses one key for encryption and decryption. Asymmetric encryption uses two different keys for encryption and decryption – i.e., the private and public key. The public key can be shared with the general public but the private key remains a secret and is only accessible by the right individual. There are various encryption technologies such as AES, Triple DES, RSA, and Blowfish.

Electronic data retention includes collecting, storing, and managing information. Private and public organizations should have the right rules and regulations that help define how electronic information should be located, identified, and stored. There are government regulations, international standards, industry regulations and internal policies. Government regulations are set by state or federal governmental agencies such as the Federal Trade Commission and Internal Revenue Service. International standards are set by the International Organization for Standardization like ISO/IEC 27040, IS 9001, ISO 17068:2017. Industry regulations include the GDPR, PCI-DSS, and CCPA. Finally, internal policies include data version controls and employee record retention.

There are various electronic data retention rules and regulations which are not globally uniform. For example, the rules for Australia may be different from China. The European Union’s rules (e.g., GDPR) are far more comprehensive than others. There may be similarities between the rules but none are entirely identical. For example, one similarity in these rules is that personal data should not be stored or processed for longer than necessary. On the other hand, Switzerland has organized a comprehensive data retention protocol which requires business data to be stored for at least ten years after the end of the financial year. However, in the United States, there is no uniform state or federal laws that can be applied across the board. There is a mixture of various laws that are applicable to a specific industry such as the Fair Labor Standards Act, Bank Secrecy Act, Health Insurance Portability and Accountability Act, and Federal Information Security Management Act. There is the Electronic Communication Transactional Records Act [codified under 18 U.S.C. 2703(f)(2)] that controls data preservation for service providers and mandates data preservation for at least ninety days. FISMA which applies to contractors and federal agencies requires data retention for at least three years. In addition, HIPAA which applies to health care providers requires data retention for at least six years from the electronic file’s creation date.

In summary, organizations should spend a good amount of time to create a practical data retention policy that includes the guidelines. The data retention policy should be created once the data is properly located, classified, and reviewed. In fact, the data retention lifecycle includes the following phases: (1) creation; (2) storage; (3) usage; (4) archival; and (5) disposal. Also, all data should be considered, including, but not limited to, emails, customer records, supplier records, employee files, databases, accounting and financial files.

Our internet and cybersecurity lawyers have been prosecuting and defending legal actions in state and federal courts. Our law firm is ready to assist its clients in matters related to internet, cybersecurity, and privacy. Please contact our law firm to speak with an internet attorney at your earliest convenience.