|
“Being responsible for confidential and
crutial information for my clients makes this backup system an easy choice. I
recently had a computer crash and with Dan Dugal's help was able to operate my
business in a matter of hours.”
— Daniela Hops
>
More
Clients
> More Testimonials
|
Data Protection, Privacy and Regulatory Compliance
Laws
Corporations today face growing federal and
state regulations. If not understood, planned for, and complied with, these
mandates threaten the bottom line of every public U.S. company.
Records managers and executives alike must
become familiar with these regulations in order to avoid stiff penalties and
preserve brand equity. |
|
 |
Federal regulations protecting
consumer data
Any organization that collects and stores consumer
information may be affected:
- Fair and Accurate
Credit Transactions Act (FACTA)
Protects “consumer
information” and provides regulations to properly dispose of it and
protect against unauthorized disclosure
- Electronic Signature in
Global and National Commerce Act
Provides assurances that
electronic records and contracts can have the same legal authority and
protection as paper records and contracts
- Rules 26 & 34 of
the Federal Rules of Civil Procedure
Governs the discovery and
disclosure of information relevant to civil actions
- Uniform Preservation
of Private Business Records Act (UPPBRA)
Enacted by several states
business records not otherwise specified may be destroyed after the expiration
of three years
- Uniform Photographic
Copies of Business & Public Records as Evidence
Act
Reproductions of records have the same legal significance as the
original (UPA)
- The Paperwork
Reduction Act of 1980
Provides the framework to control the
paperwork burdens the federal administrative agencies can place on the
public
- Department of
Defense: Standard for Records Management Software
Establishes
mandatory baseline functional requirements for Records Management Applications
(RMA) software
- U.S. General Services Administration: GSA
Advantage Approved Vendor
Contact us directly regarding GSA vendor
approval. We can personally tailor a bid proposal to your specific Federal
Government contract needs.
Federal regulations protecting
industry-specific data
Doctors, dentists, bankers, accountants, CPAs,
financial advisors, lenders, brokers, etc.
- Healthcare Insurance
Portability and Accountability Act (HIPAA)
Limits the use and
disclosure of individually identifiable information
- Sarbanes Oxley
Act
Implements multiple sweeping reforms within the accounting
industry
- Gramm-Leach-Bliley Act
(GLB)
Requires financial institutions to ensure the security and
confidentiality of customers’ non-public, personal information
- Bank Secrecy Act
Requires financial institutions to maintain records of transactions
that are useful to the Department of Treasury in criminal, tax and regulatory
investigations
- SEC Rules 17a-3 &
4
Record retention requirement governing broker-dealer records in
all formats
State regulations
These laws
effect any business with clients in these states (more states will soon
follow):
- Massachusetts 201 CMR 17.00
Taking effect on March 1, 2010, this law regulates the way organizations store, transfer and protect personal information. All files must be encrypted and stored safely.
- New York: Information Security Breach and Notification Act
Governor George Pataki signed the Information Security Breach and
Notification Act (A04254) into law on August 10th, 2005, joining a growing
number of states which legislate the protection of consumers' personal
data.
- California's SB-1386 law requires disclosure of compromised
data
Privacy law requiring all businesses that own or license
computerized data with personal information, to disclose to residents any data
security breach if unencrypted personal information is reasonably believed to
have been acquired by an unauthorized person.
- Washington's Substitute Senate Bill (SB-6043)
Enacted
on July 23rd, 2005, the law regulates disclosure standards concerning data
security breaches involving unencrypted personal information.
International business
regulations
These laws effect any business with international clients or
transactions:
- USA Patriot
Act
Measures to prevent, detect and prosecute terrorism and
international money laundering, giving the government new powers to request
confidential company info
- Safe Harbor Act
(European Union Data Protection Directive)
Places new requirements
on businesses that wish to collect, process or transfer personal data from an
EU Member State
- ISO 15489 –
Records Management Standard
International standard that provides a
high level framework for recordkeeping
- Canadian Personal Info
Protection and Electronic Documents Act (PIPEDA)
Governs the
collection, use, and disclosure of personal info in commercial activities
- Implements multiple sweeping reforms for public companies,
auditors, board members and lawyers
- Applies to all U.S. public companies and non-U.S. public
companies that have issued securities in the U.S. public markets and are
required to file periodic reports with the Securities and Exchange Commission
- Prescribes a system of federal oversight of public auditors
- Prohibits specified behavior regarding insider trades,
loans to officers and directors, disclosure of information and improper
influence on audits
- Imposes new criminal penalties relating to fraud,
conspiracy, destruction of evidence and interfering with investigations
- Requires management to establish and maintain an adequate
internal control structure and procedures for financial reporting
- Requires establishment of a process for employees to
submit, in confidence and with anonymity, concerns regarding questionable
accounting matters
- Limits the use and disclosure of individually identifiable
information relating to the physical or mental health of individuals absent the
consent or authorization from the patient
- Requires that all records regardless of format be managed
as part of the organization’s official records management program
- Requires training to ensure employees are aware of the
requirements
- Privacy Rules issued under the Act became effective in
April 2001. Security Rules under the Act became effective in April 2006
- Applies to doctors, hospitals, pharmacies, medical billing
services, health care plans, HMOs, and business associates of these entities
such as their accountants and attorneys
- Imposes strict data disposal requirements, including
overwriting or physically destroying all magnetic media that is no longer in
use or that is given away or sold
- Requires financial institutions to ensure the security and
confidentiality of customers’ non-public, personal information
- Organizations are required to send privacy notices
automatically to customers
- Harm caused by “identity theft” has led the
federal government to create mandates such as this to prevent the negligent
disclosure of private information
- In October 1998, the European Union passed the European
Union Data Protection Directive. This Directive places new requirements on
businesses that wish to collect, process or transfer personal data from an EU
Member State
- Under the Directive, the transfer of personal information
from an EU Member State to a non-EU country is forbidden unless the receiving
country provides an “adequate” level of privacy protection. The EU
Directive has very strict privacy rules pertaining to personal information of
its citizens
- In order to avoid potential disruptions in trade between
the U.S. and the EU, the U.S. Department of Commerce in consultation with the
European Commission and industry developed the Safe Harbor framework. This
framework allows U.S. companies a means of assuring European consumers that
they will provide an adequate level of privacy protection, thereby satisfying
the “adequacy” requirement of the European Directive of Data
Protection
- Contains measures to prevent, detect and prosecute
terrorism and international money laundering
- Gives the government new powers to request confidential
company information and requires that financial institutions know their
customer base intimately
- Provides the government with authority to intercept wire,
oral and electronic communications and to prosecute offenders
- Reporting requirements now extend to credit unions and
entities trading commodities and futures
- Requires every financial institution to develop and
implement an anti-money laundering program
- Provides assurances that electronic records and contracts
can have the same legal authority and protection as paper records and contracts
- Requires that companies address their e-commerce activities
and implement measures to ensure that these activities meet acceptable
standards
- Amends the Fair Credit Reporting Act, the federal law
governing the use of credit reports
- Requires banking agencies to adopt consistent and
comparable rules applicable to the entities they regulate, requiring such
entities to properly dispose of any consumer information
- Requires organizations that possess or maintain
“consumer information” for business purposes to properly dispose of
it by taking reasonable precaution to protect against unauthorized disclosure.
This includes consumer information in any format including electronic records
- Governs the collection, use, and disclosure of personal
information in commercial activities by organizations of all types, including
associations, partnership, trade unions and the Canadian offices or
subsidiaries of foreign companies
- Applies to both traditional paper-based business as well as
online commercial activities
- Governs the discovery and disclosure of information
relevant to civil actions
- Applies to organizations facing litigation and those aware
that a discovery request may be made
- Organizations with poor records management programs can
face court sanctions and loss of rights in litigation
- Statute enacted by several states declares that unless a
specific period is designated by law for their preservation, business records
which persons by the laws of this state are required to keep or preserve may be
destroyed after the expiration of three years from the making of such records
without constituting an offense under such laws
- Enacted by almost all states, it specifies that
reproductions of records have the same legal significance as the original and
may be used in place of the original for all purposes including evidence
- Requires financial institutions to maintain records of
personal financial transactions that are useful to the Department of Treasury
in criminal, tax and regulatory investigations
- International standard that provides a high level framework
for recordkeeping and specifically addresses the benefits of records
management, regulatory considerations affecting its operation and the
importance of assigning responsibility for recordkeeping
- Provides specific detail about the development of records
management policy and responsibility statement and outlines processes for
developing recordkeeping systems
- Record retention requirement governing broker-dealer
records in all formats
- Provides the framework to control the paperwork burdens the
federal administrative agencies can place on the public and empowers the Office
of Management and Budget (OMB), Executive Office of the President, to develop
regulations to implement the act and to enforce continual monitoring of the
process
- Establishes mandatory baseline functional requirements for
Records Management Applications (RMA) software used by the DoD Components in
the implementation of their records management programs
- Defines required system interfaces and search criteria to
be supported by the RMAs
- Describes the minimum records management requirements that
must be met, based on current National Archives and Records Administration
(NARA) regulations
|
