Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws
State Data Destruction Laws
About two-thirds of states have data destruction (disposal) laws requiring personal information to be disposed of so it is no longer readable or decipherable, advancing data minimization. No across-the-board federal law exists, but sectoral rules apply - e.g., the FTC Disposal Rule for consumer reports.
State data destruction laws ensure data is handled appropriately at the end of the data life cycle, implementing data minimization and reducing the data at risk in a breach. No federal law imposes destruction standards across all industries, but sectoral mandates exist - the FTC enforces the Disposal Rule for consumer reports.
About two-thirds of states require companies to destroy or dispose of personal information so it is no longer readable or decipherable. 'Personal information' is often defined similarly to the breach laws. Common elements: who is covered (government and/or private), required notice, exemptions (GLBA, HIPAA, FCRA), covered media (electronic and/or paper), and penalties.
Key terms - quick answers
What is “Data destruction law”?
A state law requiring secure disposal of personal information at the end of the data life cycle so it is no longer readable or decipherable.
What is “Data minimization”?
The principle that data should be kept only as long as necessary to fulfill its purpose; secure destruction also reduces breach exposure.
What is “FTC Disposal Rule”?
A federal rule, enforced by the FTC, governing disposal of consumer reports and information derived from them (covered in Chapter 9).