The Federal Trade Commission has ordered a South Carolina technology company to adopt stringent new policies for deleting personal customer data, yet another reminder that keeping such data when your company no longer uses it is not something regulators want to see.
The company in question is Blackbaud Inc., which sells software to nonprofits to help those organizations manage relations with their donors. Blackbaud suffered a ransomware attack in May 2020 where attackers absconded with at least 1 million files, including files that contained customers’ Social Security and bank account information. The company agreed to pay a ransom of 24 bitcoin (worth about $250,000 at the time), but never confirmed that the attackers actually did destroy the stolen customer data.
That all caught up with Blackbaud last week, when the FTC announced a consent order faulting the company for poor cybersecurity practices. That order includes no monetary penalties, but Blackbaud did agree to implement numerous new practices for data management — remediation steps that privacy or compliance officers might want to review to assure that your own business is taking proper precautions already.
The FTC faulted Blackbaud for two failures. First were the usual complaints that the company deceived customers by promising that it would take “appropriate physical, electronic and procedural safeguards to protect your personal information,” when in fact Blackbaud bungled basic cybersecurity practices. We see that sort of stuff in FTC complaints on a regular basis.
More relevant to us today was the FTC’s second beef with Blackbaud: that the company “held onto data far longer than was necessary for the purpose for which it was maintained.” That allowed the ransomware attack to be even worse, since the attackers were swiping data that shouldn’t have been sitting out there as a target in the first place.
That’s the important lesson here for compliance officers. All the FTC’s complaints about poor cybersecurity practices are important too, but they’re important mainly to the CISO. Data retention and destruction policies are about data management rather than cybersecurity — and to an ever-increasing extent, data management is mainly a concern for the chief compliance officer.
Deleting Data in Practice
Let’s first look at exactly what the FTC ordered Blackbaud to do, as described in the consent order. Within 90 days, Blackbaud must…
Delete or destroy customer backup files containing covered information that is not being retained inconnection with providing products or services to respondent’s customers unless otherwise requested by respondent’s customers, and provide a written statement to the Commission … confirming that all such data has been deleted or destroyed; and refrain from maintaining any covered information not necessary for the purpose(s) for which such information is stored and/or maintained.
In simpler words, Blackbaud needs to (1) destroy all customer data the company isn’t using, unless those customers consent to long-term storage; and (2) quit keeping customer data once Blackbaud no longer needs it.
So how does a company put those two goals into practice? What data management capabilities do you need to comply with those regulatory demands?
Writing the actual policy is easy enough. The true challenge is the mechanics of it.
For example, you’d first need to know what data within your archives qualifies as “covered information.” That implies a strong ability to inventory your data, so that you know which files include names, birth dates, bank accounts, Social Security numbers, and so forth; and where that data exists — both logically in the corporate network (“in the database named Good Stuff”) and physically in the world (“which we entrust to an outsourced data storage firm operating in Fresno”).
If you can’t identify the covered information and determine where it is, you’ve already lost the battle. So compliance or internal audit teams would need to consult with the IT department to confirm whether the company can or can’t do this well.
But wait! You can’t destroy any data that might be subject to a litigation hold or government investigation. So the second issue is that the legal and IT teams will need an ability to cross-reference data slated for destruction with data subject to litigation holds. Many e-discovery and data management vendors will say their products can solve this problem, but plenty of companies still haven’t implemented this capability yet.
Nor can we forget the more mundane details of data destruction policies, such as destroying hardware in the proper way. For example, in 2022 the Securities and Exchange Commission fined Morgan Stanley $35 million for poor data destruction policies and procedures, which led to old Morgan Stanley equipment sold at auction with customer data still on the hard drives.
Working With the First Line
We could keep going with more data management and destruction issues, but there’s a bigger picture that compliance and audit professionals need to step back and appreciate, too. To achieve strong “data minimization” practices — which companies will need to stay on the right side of FTC enforcement and to comply with the EU’s General Data Protection Regulation, among other rules — you’ll need to coordinate closely with business units in the First Line of Defense.
For example, go back to the data inventory capability mentioned earlier. One big threat to that will be duplicative piles of customer data, tucked away in various parts of the enterprise. You, the IT team, and business units collecting customer data will all need to work together to assure that customer data only exists in a few tightly controlled locations, so that extra pockets of data aren’t squirreled away somewhere in a storage drive that’s later compromised.
So how do you craft such policies and procedures, and train employees on them, and have the audit team test those policies and procedures to assure that they work?
We could say the same for destruction of hard drives: you’ll need policies and procedures that apply to the business units, followed up with occasional testing by the audit team.
Business units might object to restrictions on how they collect and use customer data. Audit might tell you it has other priorities. The compliance function itself will be plenty busy analyzing regulatory burdens from the FTC, European privacy regulators, and other agencies to build data minimization policies that are as universally applicable as possible.
Just one more compliance challenge in our digitally transformed world.