The Morgan Stanley data breach episode highlights a critical point: at any stage of the data lifecycle.
The Legal Imperatives for Data Erasure
There are several data protection regulations that require organizations to implement robust data privacy measures, including secure data erasure practices to ensure the confidential data of their citizens is protected.
The EU’s General Data Protection Regulation greece rcs data (GDPR) is an exemplary data privacy regulation that gives data subjects the right to be forgotten or the right to erasure and contains strict provisions for imposing fines for EU citizens’ data getting compromised. Fines of up to €20 million or 4% of the global annual turnover are imposed on the non-compliant organization.
The California Consumer Privacy Act (CCPA) empowers consumers with control over their data, including the right to erasure. The California Attorney General has the right to levy penalties for each intentional violation not more than $7,500 and for unintentional violation not more than $2,500. There is, however, no ceiling on the total amount of fines that can be imposed.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) instructs organizations to destroy, erase, or anonymize personal information that is no longer needed. An organization that may knowingly violate any part of PIPEDA guidelines for proactive data security safeguards may be liable to pay a penalty of up to $100,000 CAD per violation.