Sarbanes-Oxley Act of 2002 (SOX)

Implements multiple sweeping reforms for public companies, auditors, board members and lawyers.

Applies to all U.S. public companies and non-U.S. public companies that have issued securities in the U.S. public markets and are required to file periodic reports with the Securities and Exchange Commission.

Prescribes a system of federal oversight of public auditors.

Prohibits specified behavior regarding insider trades, loans to officers and directors, disclosure of information and improper influence on audits.

Imposes new criminal penalties relating to fraud, conspiracy, destruction of evidence and interfering with investigations.

Requires management to establish and maintain an adequate internal control structure and procedures for financial reporting.

Requires establishment of a process for employees to submit, in confidence and with anonymity, concerns regarding questionable accounting matters.

Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)

Limits the use and disclosure of individually identifiable information relating to the physical or mental health of individuals absent the consent or authorization from the patient.

Requires that all records regardless of format be managed as part of the organization’s official records management program.

Requires training to ensure employees are aware of the requirements.

Privacy Rules issued under the Act became effective in April 2001. Security Rules under the Act became effective in April 2006.

Applies to doctors, hospitals, pharmacies, medical billing services, health care plans, HMOs, and business associates of these entities such as their accountants and attorneys.

Imposes strict data disposal requirements, including overwriting or physically destroying all magnetic media that is no longer in use or that is given away or sold.

Gramm-Leach-Bliley Act (GLB), November 1999

Requires financial institutions to ensure the security and confidentiality of customers’ non-public, personal information.

Organizations are required to send privacy notices automatically to customers.

Harm caused by “identity theft” has led the federal government to create mandates such as this to prevent the negligent disclosure of private information.

Safe Harbor Act

In October 1998, the European Union passed the European Union Data Protection Directive. This Directive places new requirements on businesses that wish to collect, process or transfer personal data from an EU Member State.

Under the Directive, the transfer of personal information from an EU Member State to a non-EU country is forbidden unless the receiving country provides an “adequate” level of privacy protection. The EU Directive has very strict privacy rules pertaining to personal information of its citizens.

In order to avoid potential disruptions in trade between the U.S. and the EU, the U.S. Department of Commerce in consultation with the European Commission and industry developed the Safe Harbor framework. This framework allows U.S. companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying the “adequacy” requirement of the European Directive of Data Protection.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, USA Patriot Act, October 2001

Contains measures to prevent, detect and prosecute terrorism and international money laundering.

Gives the government new powers to request confidential company information and requires that financial institutions know their customer base intimately.

Provides the government with authority to intercept wire, oral and electronic communications and to prosecute offenders.

Reporting requirements now extend to credit unions and entities trading commodities and futures.

Requires every financial institution to develop and implement an anti-money laundering program.

Electronic Signature in Global and National Commerce Act

Provides assurances that electronic records and contracts can have the same legal authority and protection as paper records and contracts.

Requires that companies address their e-commerce activities and implement measures to ensure that these activities meet acceptable standards.

Fair and Accurate Credit Transactions Act of December 2003 (FACTA) and The FACT Act Disposal Rules

Amends the Fair Credit Reporting Act, the federal law governing the use of credit reports.

Requires banking agencies to adopt consistent and comparable rules applicable to the entities they regulate, requiring such entities to properly dispose of any consumer information.

Requires organizations that possess or maintain “consumer information” for business purposes to properly dispose of it by taking reasonable precaution to protect against unauthorized disclosure. This includes consumer information in any format including electronic records.

Canadian Personal Information
Protection and Electronic Documents Act (PIPEDA)

Governs the collection, use, and disclosure of personal information in commercial activities by organizations of all types, including associations, partnership, trade unions and the Canadian offices or subsidiaries of foreign companies.

Applies to both traditional paper-based business as well as online commercial activities.

Rules 26 & 34 of the
Federal Rules of Civil Procedure

Governs the discovery and disclosure of information relevant to civil actions.

Applies to organizations facing litigation and those aware that a discovery request may be made.

Organizations with poor records management programs can face court sanctions and loss of rights in litigation.

Uniform Preservation of Private Business Records Act
(UPPBRA)

Statute enacted by several states declares that unless a specific period is designated by law for their preservation, business records which persons by the laws of this state are required to keep or preserve may be destroyed after the expiration of three years from the making of such records without constituting an offense under such laws.

Uniform Photographic Copies of
Business and Public Records as Evidence Act (UPA)

Enacted by almost all states, it specifies that reproductions of records have the same legal significance as the original and may be used in place of the original for all purposes including evidence.

Bank Secrecy Act

Requires financial institutions to maintain records of personal financial transactions that are useful to the Department of Treasury in criminal, tax and regulatory investigations.

ISO 15489 – Records Management Standard developed by the International Organization for Standards in 2001

International standard that provides a high level framework for recordkeeping and specifically addresses the benefits of records management, regulatory considerations affecting its operation and the importance of assigning responsibility for recordkeeping.

Provides specific detail about the development of records management policy and responsibility statement and outlines processes for developing recordkeeping systems.

SEC Rules 17a-3 & 4

Record retention requirement governing broker-dealer records in all formats.

The Paperwork Reduction Act of 1980

Provides the framework to control the paperwork burdens the federal administrative agencies can place on the public and empowers the Office of Management and Budget (OMB), Executive Office of the President, to develop regulations to implement the act and to enforce continual monitoring of the process.

DoD 5015.2-STD –
Department of Defense Design Criteria Standard for Electronic Records Management Software Applications – 6/19/2002

Establishes mandatory baseline functional requirements for Records Management Applications (RMA) software used by the DoD Components in the implementation of their records management programs.

Defines required system interfaces and search criteria to be supported by the RMAs

Describes the minimum records management requirements that must be met, based on current National Archives and Records Administration (NARA) regulations.