|
Below is a summary of some of the recent regulatory
requirements that impact records management and retention programs.
EU
Cookie Law
May 26th 2011 the revision to the
2009 EU Privacy Directive known as the "EU cookie law" goes into effect.
Requirements include obtaining explicit and informed consent by web site
visitors before using cookies to track visitor information, browsing
history, or preferences unless the information is needed to process an order
or provide a service. Until further guidance is provided on the means
acceptable to obtain consent (browser settings) businesses are encouraged to
clearly notify visitors of cookies used and their purpose and obtain consent
before visitors enter a web site.
Proposed California Bill 2011
Under the proposal, SB242,
social-networking sites would have to allow users to establish their privacy
settings -- like who could view their profile and what information would be
public to everyone on the Internet -- when they register to join the site
instead of after they join. Sites would also have to set defaults to private
for new accounts so that users would choose which information is public
after the account is activated. It also requires privacy policies be
provided in plain language to potential users. Fines for willful
violation are proposed at $10,000.00 per violation.
Dodd-Frank Financial Reform Act
Sets new Federal minimum statute of
limitations for contract claims, tort, and fraud actions that in some cases
may be longer than State requirements. It also allows for financial
reimbursement from Directors of failed financial companies, provides new
protection measures for whistle-blowers, and sets minimum retention
requirements for record-keeping of transactions, reporting, and training of
employees.
Health Insurance Portability and Accountability Act
HIPAA establishes rules regarding storage, privacy, and access to information
maintained by
health care providers and hospitals. New and proposed rules in 2010 extend
regulations and monitoring to business associates and require public and
official reporting if information security is breached.
Credit Card Act (Gift Cards)
Sets new Federal Standards for gift card programs
in addition to individual State requirements which prohibits the sale of
gift certificates or cards that have an expiration date which is less than
five years after the date it was issued, or the date that funds were last
loaded on a store gift card or general-use prepaid card.
Health Care Reform Act
April 2011 President Obama repealed
the provision requiring 1099 forms on all vendors that provide over $600 worth of
services or products to a company during the year.
Rules of Civil Procedure
Amendments to the Federal rules of civil procedure take effect December 1, 2006.
The changes require a pre-trial conference between parties within 90 days
after the appearance of a
defendant and within 120 days after the complaint has been served on a
defendant to identify issues with
e-discovery and deal with how information considered protected or privileged
will be handled.
At the conference parties must identify information by
description, category, location, and source in enough detail to
assess the cost of discovery, any burden to access and produce, and
likelihood of finding responsive information.
Security and Privacy Regulations
Numerous U.S. federal, state, and international laws that affect the collection,
use, storage, processing, and transfer of personal information about
customers, consumers, and employees as well as reporting requirements when
security breaches occur. These laws include requirements for business
operations, policies, procedures, training of staff/contractors, outsourcing data processing or storage,
as well as monitoring and validating compliance of privacy and security
operations within the company and of outsourced operations or vendors.
Sarbanes-Oxley
SOX passed in 2002 requires publicly
traded companies and their accounting firms to identify and evaluate areas of risk and
review and document systems and processes that impact the accuracy of
information in financial systems, statements, and reports.
Gramm-Leach-Bliley Act
GLBA establishes rules on the maintenance, protection, disposal, and disclosure of
personal financial information by financial institutions.
Basel II
Requires financial institutions that operate globally to
create and maintain records that support credit operations and risk in an
auditable format over time.
Bioterrorism Act
Requires certain records be retained by manufacturers,
processors, packagers, distributors, holders, and importers of food products
in the US. Records have minimum retention requirements and must be
available to the FDA upon request providing a clear audit trail from
ingredients to point of sale.
|
