Haystack Associates, Inc. About Haystack






Below is a summary of some of the recent regulatory requirements that impact records management and retention programs.

President Obama signs Cyber Security Executive Order
The Order signed on February 14, 2013 directs the National Institute of Standards and Technology ("NIST"), through a consultative process with other agencies and CI (critical infrastructure) owners and operators, to develop cybersecurity performance standards and methods to reduce risks to CI.  It also directs the Department of Homeland Security ("DHS") and agencies responsible for CI sectors to create a program to encourage CI owners and operators to voluntarily adopt the Cybersecurity Framework established by NIST. It further directs agencies that have statutory authority to regulate CI to determine whether they have "clear authority" to establish mandatory standards based on the Cybersecurity Framework and, if current regulatory requirements are deemed insufficient, to impose such standards through rulemaking.

Published January 25, 2013 regulations amending HIPAA requirements.  Of note HIPAA certification of is required for business associates and the definition of business associates has been broadened; privacy. security, and breach notification requirements have been strengthened; and privacy notices must be updated and redistributed.

EU Proposal for Data Breach Requirements for Critical Companies
Draft regulations currently being circulated by the European Union's Executive Committee may soon require European businesses that provide critical infrastructure services, including banks, stock exchanges, telecommunications firms and utilities, disclose to authorities any data breach they suffer. The committee plans to formally introduce the recommendation in February 2013, after receiving feedback from the European Parliament and the 27 different countries in Europe that comprise the EU.

COPPA Regulations
The US Federal Trade Commission (FTC) has issued new rules effective July 1st, 2013 under the Children's Online Privacy Protection Act (COPPA) that strengthen existing restrictions on the online collection and use of personal information about children under the age of 13. Of note, the FTC expanded the reach of COPPA to many websites that incorporate third-party applications, plug-ins, or advertising networks and clarifies personal information to include:  photographs, videos or audio files containing a child's image or voice, even if the files do not contain any other identifying data; persistent identifiers that can be used to recognize a user over time and across different websites or online services, if the identifier is used for purposes beyond support for the internal operations of the website or online service; street-name-level geolocation information, even without a specific address number; and screen names or user names that function in the same manner as online contact information and enable direct contact with a person online, such as an email address, voice over Internet protocol identifier, instant messaging user identifier, or video chat user identifier.

EU Article 29 Working Party
Opinion published July 1, 2012 on data protection issues for data controllers and cloud computing services.

EU Cookie Law
May 26th 2011 the revision to the 2009 EU Privacy Directive known as the "EU cookie law" goes into effect.  Requirements include obtaining explicit and informed consent by web site visitors before using cookies to track visitor information, browsing history, or preferences unless the information is needed to process an order or provide a service.  Until further guidance is provided on the means acceptable to obtain consent (browser settings) businesses are encouraged to clearly notify visitors of cookies used and their purpose and obtain consent before visitors enter a web site.

Proposed California Bill 2011
Under the proposal, SB242, social-networking sites would have to allow users to establish their privacy settings -- like who could view their profile and what information would be public to everyone on the Internet -- when they register to join the site instead of after they join. Sites would also have to set defaults to private for new accounts so that users would choose which information is public after the account is activated.  It also requires privacy policies be provided in plain language to potential users.  Fines for willful violation are proposed at $10,000.00 per violation.

Dodd-Frank Financial Reform Act
Sets new Federal minimum statute of limitations for contract claims, tort, and fraud actions that in some cases may be longer than State requirements.  It also allows for financial reimbursement from Directors of failed financial companies, provides new protection measures for whistle-blowers, and sets minimum retention requirements for record-keeping of transactions, reporting, and training of employees.

Health Insurance Portability and Accountability Act / HiTech Act
HIPAA establishes rules regarding storage, privacy, and access to information maintained by health care providers and hospitals. New and proposed rules in 2010 extend regulations, monitoring, and security measure requirements to business associates, vendors and require public and official reporting if information security is breached.

Credit Card Act (Gift Cards)
Sets new Federal Standards for gift card programs in addition to individual State requirements which prohibits the sale of gift certificates or cards that have an expiration date which is less than five years after the date it was issued, or the date that funds were last loaded on a store gift card or general-use prepaid card.

Health Care Reform Act
April 2011 President Obama repealed the provision requiring 1099 forms on all vendors that provide over $600 worth of services or products to a company during the year.

Rules of Civil Procedure
Amendments to the Federal rules of civil procedure take effect December 1, 2006.  The changes require a pre-trial conference between parties within 90 days after the appearance of a defendant and within 120 days after the complaint has been served on a defendant to identify issues with e-discovery and deal with how information considered protected or privileged will be handled.  At the conference parties must identify information by description, category, location, and source in enough detail to assess the cost of discovery, any burden to access and produce, and likelihood of finding responsive information.

Security and Privacy Regulations
Numerous U.S. federal, state, and international laws that affect the collection, use, storage, processing, and transfer of personal information about customers, consumers, and employees as well as reporting requirements when security breaches occur (some as little as 5 days from discovery).  These laws include requirements for business operations, policies, procedures, training of staff/contractors, outsourcing data processing or storage,  as well as monitoring and validating compliance of privacy and security operations within the company and of outsourced operations or vendors.

SOX passed in 2002 requires publicly traded companies and their accounting firms to identify and evaluate areas of risk and review and document systems and processes that impact the accuracy of information in financial systems, statements, and reports.

Gramm-Leach-Bliley Act
GLBA establishes rules on the maintenance, protection, disposal, and disclosure of personal financial information by financial institutions.

Basel II
Requires financial institutions that operate globally to create and maintain records that support credit operations and risk in an auditable format over time.

Bioterrorism Act
Requires certain records be retained by manufacturers, processors, packagers, distributors, holders, and importers of food products in the US.  Records have minimum retention requirements and must be available to the FDA upon request providing a clear audit trail from ingredients to point of sale.

For more information
please contact Denise Simons by:
E-mail: dsimons@haystackassociates.com
Phone:  (253) 631-1509

Copyright ©2000 - 2019 Haystack Associates, Inc. All Rights Reserved