Regulators have heightened rulemaking and enforcement to strengthen recordkeeping, data retention, and data deletion requirements
KPMG Insights: Regulators are increasingly scrutinizing data retention and recordkeeping laws, including collection, storage, retention, and disposal practices. This scrutiny falls under existing data retention, privacy and risk management regulations and guidance—and regulatory expectations are quickly being established via supervision and enforcement. In anticipation of heightened regulatory attention, companies should review their electronic communications policies, practices, and communications as well as their data retention and deletion policies and practices across legacy and multi-platform systems and unstructured data repositories.
Regulators have heightened their attention and enforcement on data privacy and security, including issues related to recordkeeping, data retention, and data deletion. Recent actions include:
1. SEC: An SEC final rule that “modernizes” electronic recordkeeping requirements for broker-dealers and security-based swap entities.
2. Enforcement: Enforcement actions against various firms, including:
3. New Regulations: New laws and rulemakings (at the state and federal levels) intended to place limits on minimizing the data that are collected and retained, including the duration of the retention period, and mandating deletion.
The SEC issued a final rule to “modernize” electronic recordkeeping requirements for broker-dealers and security-based swap entities to:
Multiple enforcement actions have been issued relative to the storage, retention, and disposal of both customer and company data. Public enforcements include:
In particular, the agencies found that the firms’ employees conducted business communications through unauthorized channels and on personal devices, and also that these communications were not maintained or preserved. The agencies further cited the firms for related supervisory failures. The federal securities laws and the Commodity Exchange Act require the creation and retention of records for reasons of investor protection and public interest.
In particular, the SEC found the firm violated both its Safeguards Rule and Disposal Rule under Regulation S-P, which require, respectively, “written policies and procedures to address administrative, technical, and physical safeguards reasonably designed for the protection of customer records and information,” and, at the time of their disposal, reasonable measures to protect against unauthorized access to, or use of, the data.
FTC. In December 2021, the FTC published a final rule amending its Standards for Safeguarding Customer Information (Safeguards Rule), which are applicable to financial institutions under the FTC’s jurisdiction. The rule amendments became effective in January 2022 and include provisions related to data retention and disposal. In particular, the rule now states covered financial institutions must:
In August 2022, the FTC published an advanced notice of proposed rulemaking (ANPR) seeking public comment on commercial surveillance and data security practices, including those that relate to the FTC’s Safeguards Rule. Among other things, the ANPR poses multiple questions on the collection, use, and retention of consumer data including whether:
CPRA. The California Privacy Rights Act (CPRA), which was enacted in 2020 and becomes fully effective in January 2023, establishes limitations on data collection and retention. More specifically: