|
Review a summary of the more prominent regulations impacting records management:
Sarbanes-Oxley Act of 2002 (SOX) |
|
Implements multiple sweeping reforms for public companies, auditors, board members and lawyers. |
|
Applies to all U.S. public companies and non-U.S. public companies that have issued securities in the
U.S. public markets and are required to file periodic reports with the Securities and Exchange Commission. |
|
Prescribes a system of federal oversight of public auditors. |
|
Prohibits specified behavior regarding insider trades, loans to officers and directors, disclosure of
information and improper influence on audits. |
|
Imposes new criminal penalties relating to fraud, conspiracy, destruction of evidence and interfering
with investigations. |
|
Requires management to establish and maintain an adequate internal control structure and procedures for
financial reporting. |
|
Requires establishment of a process for employees to submit, in confidence and with anonymity, concerns
regarding questionable accounting matters. |
|
Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) |
|
Limits the use and disclosure of individually identifiable information relating to the physical or mental
health of individuals absent the consent or authorization from the patient. |
|
Requires that all records regardless of format be managed as part of the organization’s official
records management program. |
|
Requires training to ensure employees are aware of the requirements. |
|
Privacy Rules issued under the Act became effective in April 2001. Security Rules under the Act became
effective in April 2006. |
|
Applies to doctors, hospitals, pharmacies, medical billing services, health care plans, HMOs, and business
associates of these entities such as their accountants and attorneys. |
|
Imposes strict data disposal requirements, including overwriting or physically destroying all magnetic
media that is no longer in use or that is given away or sold. |
|
Gramm-Leach-Bliley Act (GLB), November 1999 |
|
Requires financial institutions to ensure the security and confidentiality of customers’ non-public,
personal information. |
|
Organizations are required to send privacy notices automatically to customers. |
|
Harm caused by “identity theft” has led the federal government to create mandates such as
this to prevent the negligent disclosure of private information. |
|
Safe Harbor Act |
|
In October 1998, the European Union passed the European Union Data Protection Directive. This Directive
places new requirements on businesses that wish to collect, process or transfer personal data from an EU Member State. |
|
Under the Directive, the transfer of personal information from an EU Member State to a non-EU country
is forbidden unless the receiving country provides an “adequate” level of privacy protection. The EU Directive
has very strict privacy rules pertaining to personal information of its citizens. |
|
In order to avoid potential disruptions in trade between the U.S. and the EU, the U.S. Department of Commerce
in consultation with the European Commission and industry developed the Safe Harbor framework. This framework allows U.S.
companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying
the “adequacy” requirement of the European Directive of Data Protection. |
|
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism, USA Patriot Act, October 2001 |
|
Contains measures to prevent, detect and prosecute terrorism and international money laundering. |
|
Gives the government new powers to request confidential company information and requires that financial
institutions know their customer base intimately. |
|
Provides the government with authority to intercept wire, oral and electronic communications and to prosecute
offenders. |
|
Reporting requirements now extend to credit unions and entities trading commodities and futures. |
|
Requires every financial institution to develop and implement an anti-money laundering program. |
|
Electronic Signature in Global and National Commerce Act |
|
Provides assurances that electronic records and contracts can have the same legal authority and protection
as paper records and contracts. |
|
Requires that companies address their e-commerce activities and implement measures to ensure that these
activities meet acceptable standards. |
|
Fair and Accurate Credit Transactions Act of December 2003 (FACTA) and The FACT Act Disposal
Rules |
|
Amends the Fair Credit Reporting Act, the federal law governing the use of credit reports. |
|
Requires banking agencies to adopt consistent and comparable rules applicable to the entities they regulate,
requiring such entities to properly dispose of any consumer information. |
|
Requires organizations that possess or maintain “consumer information” for business purposes
to properly dispose of it by taking reasonable precaution to protect against unauthorized disclosure. This includes consumer
information in any format including electronic records. |
|
Canadian Personal Information
Protection and Electronic Documents Act (PIPEDA) |
|
Governs the collection, use, and disclosure of personal information in commercial activities by organizations
of all types, including associations, partnership, trade unions and the Canadian offices or subsidiaries of foreign companies. |
|
Applies to both traditional paper-based business as well as online commercial activities. |
|
Rules 26 & 34 of the
Federal Rules of Civil Procedure |
|
Governs the discovery and disclosure of information relevant to civil actions. |
|
Applies to organizations facing litigation and those aware that a discovery request may be made. |
|
Organizations with poor records management programs can face court sanctions and loss of rights in litigation. |
|
Uniform Preservation of Private Business Records Act
(UPPBRA) |
|
Statute enacted by several states declares that unless a specific period is designated by law for their
preservation, business records which persons by the laws of this state are required to keep or preserve may be destroyed after
the expiration of three years from the making of such records without constituting an offense under such laws. |
|
Uniform Photographic Copies of
Business and Public Records as Evidence Act (UPA) |
|
Enacted by almost all states, it specifies that reproductions of records have the same legal significance
as the original and may be used in place of the original for all purposes including evidence. |
|
Bank Secrecy Act |
|
Requires financial institutions to maintain records of personal financial transactions that are useful
to the Department of Treasury in criminal, tax and regulatory investigations. |
|
ISO 15489 – Records Management Standard developed by the International Organization
for Standards in 2001 |
|
International standard that provides a high level framework for recordkeeping and specifically addresses
the benefits of records management, regulatory considerations affecting its operation and the importance of assigning responsibility
for recordkeeping. |
|
Provides specific detail about the development of records management policy and responsibility statement
and outlines processes for developing recordkeeping systems. |
|
SEC Rules 17a-3 & 4 |
|
Record retention requirement governing broker-dealer records in all formats. |
|
The Paperwork Reduction Act of 1980 |
|
Provides the framework to control the paperwork burdens the federal administrative agencies can place
on the public and empowers the Office of Management and Budget (OMB), Executive Office of the President, to develop regulations
to implement the act and to enforce continual monitoring of the process. |
|
DoD 5015.2-STD –
Department of Defense Design Criteria Standard for Electronic Records
Management Software Applications – 6/19/2002 |
|
Establishes mandatory baseline functional requirements for Records Management Applications (RMA) software
used by the DoD Components in the implementation of their records management programs. |
|
Defines required system interfaces and search criteria to be supported by the RMAs |
|
Describes the minimum records management requirements that must be met, based on current National Archives
and Records Administration (NARA) regulations. |
|
|
