Protecting Personal Data from Breaches: Best Practices for Data Deletion
Key Takeaways: It is common for businesses to share personal data with third-party vendors or service providers who act as data processors in connection with their provision of services to the business. These third parties offer a variety of services that help businesses manage, analyze, or build upon the data a controller collects. However, businesses, in their role as data controllers, remain responsible for the personal data held by their processors and may be held liable for the actions of third-party processors in the event of a data breach or violation of data privacy law. Data controllers assume the risks associated with sharing their data with third-party vendors, as demonstrated by the AT&T settlement with the Federal Communications Commission.
FCC Enforcement
The Federal Communications Commission (“FCC”) is the primary authority for federal communications law, regulation, and technological innovation in the United States. The FCC’s responsibilities include oversight of data breach and response actions in the communications sector.[1] In 2023, FCC Chairwoman Jessica Rosenworcel established the Privacy and Data Protection Task Force (the “Task Force”), an FCC staff working group focused on rulemaking, enforcement, and public awareness related to data privacy and security, including data breaches and insufficient privacy and security practices.
AT&T Data Breach
On September 17, 2024, the FCC announced a $13 million settlement with AT&T to resolve a 2023 data breach investigation. From 2015 to 2017, AT&T shared customer data with an unnamed third party vendor who generated and hosted personalized video content for AT&T, including billing and marketing videos, using AT&T customers’ personal data. The vendor was permitted to retain the personal data only for the period of time set forth in the contract with AT&T and was required to destroy the data upon completion of the contractual services. However, AT&T failed to ensure that the vendor actually destroyed the data upon completion of the services, and the vendor retained AT&T’s customer data longer than permitted under the contract, leaving the data vulnerable to the 2023 breach experienced by the vendor. Despite the fact that the vendor, not AT&T, experienced the security breach, the FCC found that AT&T was at fault for the breach of its customer data because it was responsible for maintaining its customer data even when held by a third party. Thus, by failing to confirm the vendor’s deletion of customer data, AT&T failed to adhere to this requirement, and the data of nearly nine million AT&T customers was compromised as a result.
As a part of the FCC settlement, AT&T also entered into a consent decree in which it must introduce new preventative measures related to data security and protection of customer information.[2] AT&T must name a compliance officer responsible for overseeing AT&T’s compliance with the consent decree and related privacy and security requirements, develop and implement a compliance plan, establish an information security program and vendor information security program, strengthen vendor oversight, and create a data inventory program to track customer data collection and storage.
AT&T’s $13 million settlement demonstrates the importance of vendor management and the risks associated with sharing data with third-party vendors. Even though the data was breached because the vendor failed to abide by its deletion guidelines in the contract, AT&T was ultimately liable for the breach of its customer data. The data belonged to AT&T customers, and AT&T did not ensure the vendor deleted the data as contractually required. As stated by FCC Enforcement Bureau Chief Loyaan A. Egal in the FCC’s announcement of the AT&T settlement, “[C]ommunications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data … [this settlement] should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.”[3] The FCC sets a precedent with this settlement that it is possible or even likely for data controllers to be found at fault for their vendors’ noncompliance with data deletion requirements.
Why Does Personal Data Need to be Deleted?
As a best practice, personal data should be deleted when it is no longer needed for the specific processing purposes, such as the performance of services for a data controller. The longer data is retained, the greater the risk that it can be compromised in a breach. As shown by the breach experienced by AT&T’s service provider, adherence to the contractual deletion guidelines would have prevented the data from being breached altogether.
Comprehensive data privacy laws establish data deletion requirements for data processors. For example, Section 59.1-579 (b)(2) of the Virginia Consumer Data Protection Act (“VCDPA”) states that the contract between the controller and processor must require the processor to delete or return all personal data to the controller at the end of the provision of services, unless retention of the personal data is required by law. This deletion or return requirement is also found in all other current state privacy laws. Similarly, Article 28(3)(g) of the General Data Protection Regulation (“GDPR”) requires the contract between the data controller and data processor to state that the processor must, at the choice of the controller, delete or return all the personal data after the end of the provision of services relating to processing, unless applicable law requires storage of the personal data.
While there is no exact timeline required regarding the processor’s data deletion set forth in GDPR or state data privacy laws, it is common for data processing addendums to require the processor to delete data “promptly” after the processing has been completed. “Promptly” is often not defined but is frequently understood to mean within 30-60 days of completion of the services.
Data controllers should establish a data retention policy that addresses the retention and deletion schedules for different types of personal data, how the personal data is used and shared, any specific laws applicable to the personal data, and any third parties who have access to the personal data. Company personnel should be tasked with monitoring and enforcement of the policy to foster its success.
Best Practices to Protect Personal Data
It is important for data controllers to implement strong data governance practices. This includes data retention and deletion policies, data inventory management, and comprehensive information security programs. After such programs are implemented, the controller must continually review and improve the programs to ensure the programs remain in line with applicable data privacy laws and industry standards. The cost of an effective control mechanism to prevent data missteps is generally less expensive than penalties associated with enforcement to correct the missteps. By retaining data longer than necessary, the data remains at risk to threat actors who will target the data and potentially harm the individuals and entities identified by such data.
Koley Jessen is committed to staying informed about developments related to data processing and data privacy compliance and will offer guidance as new information emerges. If you are unsure about your business's compliance needs or applicable data retention requirements, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for assistance.
*Special thanks to summer associate Sydney Mallum for her contributions to this article.
[1] Federal Communications Commission, https://www.fcc.gov/about-fcc/what-we-do (last visited Nov. 11, 2024).
[2] FCC, FCC EB Settles with AT&T for Vendor Cloud Breach (Sept. 17, 2024), available here.
[3] https://docs.fcc.gov/public/attachments/DOC-405545A1.pdf
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.