For years, the default setting at many companies was to keep electronic data indefinitely. Storage is cheap, there are legal risks associated with deleting data, and you never know when an email from 10 years ago is going to become important. Some companies have document management policies, but often they are not rigorously enforced or they are suspended whenever litigation arises. The result is that most companies have enormous amounts of old data and are generating significant amounts of additional data every day. As the cybersecurity and data privacy risks associated with having large volumes of extraneous data increase, regulators have started to require companies to get rid of data that they don’t need for business, regulatory or legal reasons.  Here are some recent examples:

  • NYDFS – Starting on September 1, 2018, companies regulated by the New York Department of Financial Services’ cybersecurity rules are required to have a data minimization program that includes “policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information…that is no longer necessary for business operations or for other legitimate business purposes… except where such information is otherwise to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.”
  • GDPR – The EU’s new General Data Protection Regulations, which came into effect on May 25, 2018, requires the limitation of personal data to “what is necessary in relation to the purposes for which [such data] are processed.”
  • US State Laws – The newly enacted South Carolina Insurance Data Security Act, which is based on the model insurance law requires covered entities to “define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.”  The Act becomes effective on January 1, 2019.  In addition, the New York Attorney General recently released cybersecurity guidance for small businesses, which states, “Hackers can’t steal sensitive information if it’s not there.  To limit the risks from an attack, delete customer or employee information files you no longer need.”

Although regulators are requiring data minimization programs, implementation remains tricky. Assuming that no one is going to actually review all of the thousands or millions of documents that are to be deleted, sorting documents that must be preserved for legal or regulatory purposes from those that can safely be deleted requires careful planning in order to be effective and not an enormous drain on resources. As discussed in our recent webcast on Cybersecurity and Data Management, recent cases under the Federal Rules of Civil Procedure on spoliation significantly reduce the risk of sanctions resulting from the accidental deletion of electronic materials that might be relevant to litigation. In addition, advances in data analytics and machine learning are creating opportunities for companies to responsibly delete large volumes of old data, without having to review each document to determine if it must be retained for litigation purposes or for some regulatory obligation. These issues, along with a step-by-step approach to responsible document deletion, are also discussed in the below webcast.

The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their cybersecurity regulatory obligations. If you have questions about the Portal, please contact

The author gratefully acknowledges the assistance of Law Clerk Daniela Dekhtyar-McCarthy in preparing this entry