May 27, 2022

T’Mobile: Deleting Stale Data Reduces Liability

T-Mobile’s data breach in August 2021 exposed the social security numbers and drivers license numbers for over 40 million former or prospective customers. I recently discovered that I was one such victim because of an alert that popped up on my phone this weekend from my credit monitoring service. I was surprised because I have not been a customer for over 5 years. Why did they still have my data? 

T-Mobile has not yet contacted me or explained why they retained my data. Various state and federal regulators are now investigating whether T-Mobile had “reasonable data security” measures in place to protect customer information. Certain aspects of the regulatory investigation will undoubtedly examine what technical measures T-Mobile used and whether they were adequate. But one important non-technical issue worth investigating further is whether the company had meaningful data retention and deletion policies, and whether it followed them. 

It appears T-Mobile’s privacy policy first introduced a statement about its data retention practices in 2013, as captured in a longitudinal study, “Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset,” that our team of researchers at the Center for Information Technology Policy published in 2021. The retention policy itself is a terse one-line statement that says “we retain your personal data for business or tax needs, or legal reasons,” without any further explanation. 

But what “business need” required retaining sensitive information about former or prospective customers who had not converted into T-Mobile customers? If T-Mobile cannot justify a legitimate need, it should be held accountable for misleading the public about its data practices.

Recent data breaches involving telecommunication carriers – this is the 5th reported breach for T-Mobile since 2018 – have led the Federal Communications Commission to consider new rules to address data breaches. The FCC might draw inspiration from the Federal Trade Commission’s security guidelines for information held by financial institutions. The FTC used our public comments to modify the Safeguards Rule to require automatic destruction of customer information two years after it was last used, unless the information is required for a legitimate business purpose. 

In a different context, the FTC’s rules implementing the Children’s Online Privacy Protection Act of 1998 also mandates data retention and deletion requirements when it comes to information about children: “An operator of a Web site or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.” 

In short, minimizing data collection and retention are simple, inexpensive steps that are effective against all manner of sophisticated or unsophisticated attacks. Any company that seeks to protect their customers should develop such policies to reduce its liability in the event of a data breach.