Data Retention and Breach Notification Obligations

Feb 29, 2024
March 14, 2024
Jonathan Sharabi
Data Retention and Breach Notification Obligations

As companies experience increased regulatory requirements and restrictions regarding the use and management of sensitive data, they are faced with the added risk of lost revenue. Even worse, the CEO and members of the board may be held personally liable if they are unable to comply with ever-changing regulations.

For example, recent regulatory changes like those from the Securities and Exchange Commission (SEC) regarding incident reporting and cybersecurity disclosures mandate that U.S. publicly traded companies report cybersecurity incidents within four business days. They also require that public companies detail their cybersecurity management strategies in annual reports. Such regulations are causing businesses to embed data retention and breach notification commitments into their contracts with vendors.

What are data retention and breach notification obligations?

Data retention rules establish how long a vendor keeps client data before it is deleted. Once the vendor-client relationship ends, the vendor must find and securely erase the client's data, reducing the likelihood of a cybersecurity incident by limiting data exposure. On the other hand, data breach notifications are contractual requirements for vendors to quickly inform clients of any security incidents that lead to unauthorized access or loss of data. This gives clients the possibility of taking appropriate action when a breach occurs, such as notifying affected individuals and preventing further damage.

For additional context, data retention and breach notification policies are a means for clients to safeguard the use and management of their data by the vendors they work with. A vendor may hold various types of sensitive client data, including customer details (names, addresses, and other personal data), employee information, and confidential business data (intellectual property and trade secrets).

Which existing laws enforce data retention and breach notifications?

The main reasons why companies need a data retention and breach notification policy are to protect against liability for data management claims, fulfill contractual obligations with clients, and comply with regulatory requirements. The National Conference of State Legislatures (NCSL) reports that eight US states introduced new consumer privacy laws in 2023 alone. Among the existing laws, there are several legal frameworks and state-level regulations that may require your business to comply with data retention and breach notification laws.

Health Insurance Portability and Accountability Act (HIPAA)

This is a health and patient data privacy federal law established to control protected health information (PHI) from being disclosed without the patient's consent or knowledge.

Data retention: HIPAA data retention rules require applicable organizations to keep patient data and records for a minimum of six (6) years.

Breach notification: covered entities have a duty to notify the affected individuals and the U.S. Department of Health & Human Services (HHS) “without unreasonable delay” and in no more than 60 calendar days from the date of discovery of the breach.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a privacy law that applies to organizations that process the personal information of individuals in the European Union.

Data retention: GDPR mandates that personal data should only be retained for the period necessary to fulfill the purposes for which it was originally collected (except for scientific and research purposes).

Breach notification: Article 33 mandates that cybersecurity breaches must be reported to supervisory authorities 72 hours after discovery.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act regulates non-public personal information (NPI), compelling institutions that provide financial products or services to consumers (loans, financial and investment advice, or insurance) to disclose how they share consumer information and protect their data.

Data retention: requirements are six (6) years and include the enforcement of secure access controls for protecting stored financial information.

Breach notification: Under the Federal Trade Commission’s (FTC) new amendment from November 2023. Financial institutions that are breached must inform the FTC within 30 days if the breach affects the data of 500 or more consumers.

How Cyera helps businesses comply with data retention and breach notification requirements

Cyera enables security teams to understand where and for how long data has been stored so that organizations can honor their contractual obligations in a vendor-client relationship.

Data retention:  Cyera creates an inventory of data, including customer, intellectual property, and business data that may have been shared as a result of vendor-client relationships. Cyera gives organizations the visibility needed to balance operational retention requirements, like disaster recovery, with contractual or regulatory requirements.

Data minimization: One of the safest ways to keep sensitive data safe is to minimize the attack surface. Cyera helps security teams identify stale or redundant data that are in violation of retention policies and need to be removed.

Breach identification and mitigation: For breach incidents, Cyera enables security teams to quickly understand the impacted data, including the number of records and the data subject’s residency. Residency context is important for understanding which jurisdictions must be notified of a breach. Additionally, Cyera’s platform allows teams to see who has access to the data along with exposure gaps that may lead to the breach. This helps teams analyze the blast radius of the incident so that they can determine the scale of the attack, contain it, and notify the relevant stakeholders of what data was lost.

To learn more about Cyera’s Data Security Platform and to better understand how to safeguard your data, please visit