Below is a summary of some of the recent regulatory
requirements that impact records management and retention programs.
President Obama signs Cyber Security
The Order signed on February 14,
2013 directs the National Institute of Standards and Technology ("NIST"),
through a consultative process with other agencies and CI (critical
infrastructure) owners and operators, to develop cybersecurity performance
standards and methods to reduce risks to CI. It also directs the
Department of Homeland Security ("DHS") and agencies responsible for CI
sectors to create a program to encourage CI owners and operators to
voluntarily adopt the Cybersecurity Framework established by NIST. It
further directs agencies that have statutory authority to regulate CI to
determine whether they have "clear authority" to establish mandatory
standards based on the Cybersecurity Framework and, if current regulatory
requirements are deemed insufficient, to impose such standards through
Published January 25, 2013
regulations amending HIPAA requirements. Of note HIPAA certification
of is required for business associates and the definition of business
associates has been broadened; privacy. security, and breach notification
requirements have been strengthened; and privacy notices must be updated and
EU Proposal for Data Breach Requirements
for Critical Companies
Draft regulations currently being
circulated by the European Union's Executive Committee may soon require
European businesses that provide critical infrastructure services, including
banks, stock exchanges, telecommunications firms and utilities, disclose to
authorities any data breach they suffer. The committee plans to formally
introduce the recommendation in February 2013, after receiving feedback from
the European Parliament and the 27 different countries in Europe that
comprise the EU.
The US Federal Trade Commission (FTC) has
issued new rules effective July 1st, 2013 under the Children's Online
Privacy Protection Act (COPPA) that strengthen existing restrictions on the
online collection and use of personal information about children under the
age of 13. Of note, the FTC expanded the reach of COPPA to many websites
that incorporate third-party applications, plug-ins, or advertising networks
and clarifies personal information to include: photographs, videos or
audio files containing a child's image or voice, even if the files do not
contain any other identifying data; persistent identifiers that can be used
to recognize a user over time and across different websites or online
services, if the identifier is used for purposes beyond support for the
internal operations of the website or online service; street-name-level
geolocation information, even without a specific address number; and screen
names or user names that function in the same manner as online contact
information and enable direct contact with a person online, such as an email
address, voice over Internet protocol identifier, instant messaging user
identifier, or video chat user identifier.
EU Article 29 Working Party
Opinion published July 1, 2012 on data protection issues
for data controllers and cloud computing services.
May 26th 2011 the revision to the
2009 EU Privacy Directive known as the "EU cookie law" goes into effect.
Requirements include obtaining explicit and informed consent by web site
visitors before using cookies to track visitor information, browsing
history, or preferences unless the information is needed to process an order
or provide a service. Until further guidance is provided on the means
acceptable to obtain consent (browser settings) businesses are encouraged to
clearly notify visitors of cookies used and their purpose and obtain consent
before visitors enter a web site.
Proposed California Bill 2011
Under the proposal, SB242,
social-networking sites would have to allow users to establish their privacy
settings -- like who could view their profile and what information would be
public to everyone on the Internet -- when they register to join the site
instead of after they join. Sites would also have to set defaults to private
for new accounts so that users would choose which information is public
after the account is activated. It also requires privacy policies be
provided in plain language to potential users. Fines for willful
violation are proposed at $10,000.00 per violation.
Dodd-Frank Financial Reform Act
Sets new Federal minimum statute of
limitations for contract claims, tort, and fraud actions that in some cases
may be longer than State requirements. It also allows for financial
reimbursement from Directors of failed financial companies, provides new
protection measures for whistle-blowers, and sets minimum retention
requirements for record-keeping of transactions, reporting, and training of
Health Insurance Portability and Accountability Act / HiTech Act
HIPAA establishes rules regarding storage, privacy, and access to information
health care providers and hospitals. New and proposed rules in 2010 extend
regulations, monitoring, and security measure requirements to business associates,
vendors and require public and
official reporting if information security is breached.
Credit Card Act (Gift Cards)
Sets new Federal Standards for gift card programs
in addition to individual State requirements which prohibits the sale of
gift certificates or cards that have an expiration date which is less than
five years after the date it was issued, or the date that funds were last
loaded on a store gift card or general-use prepaid card.
Health Care Reform Act
April 2011 President Obama repealed
the provision requiring 1099 forms on all vendors that provide over $600 worth of
services or products to a company during the year.
Rules of Civil Procedure
Amendments to the Federal rules of civil procedure take effect December 1, 2006.
The changes require a pre-trial conference between parties within 90 days
after the appearance of a
defendant and within 120 days after the complaint has been served on a
defendant to identify issues with
e-discovery and deal with how information considered protected or privileged
will be handled.
At the conference parties must identify information by
description, category, location, and source in enough detail to
assess the cost of discovery, any burden to access and produce, and
likelihood of finding responsive information.
Security and Privacy Regulations
Numerous U.S. federal, state, and international laws that affect the collection,
use, storage, processing, and transfer of personal information about
customers, consumers, and employees as well as reporting requirements when
security breaches occur (some as little as 5 days from discovery). These laws include requirements for business
operations, policies, procedures, training of staff/contractors, outsourcing data processing or storage,
as well as monitoring and validating compliance of privacy and security
operations within the company and of outsourced operations or vendors.
SOX passed in 2002 requires publicly
traded companies and their accounting firms to identify and evaluate areas of risk and
review and document systems and processes that impact the accuracy of
information in financial systems, statements, and reports.
GLBA establishes rules on the maintenance, protection, disposal, and disclosure of
personal financial information by financial institutions.
Requires financial institutions that operate globally to
create and maintain records that support credit operations and risk in an
auditable format over time.
Requires certain records be retained by manufacturers,
processors, packagers, distributors, holders, and importers of food products
in the US. Records have minimum retention requirements and must be
available to the FDA upon request providing a clear audit trail from
ingredients to point of sale.