Records Management: Cases And Regulations

qwertyuiopasdfghjklzxcvbnmqwerty  

uiopasdfghjklzxcvbnmqwertyuiopasdf  

 

ghjklzxcvbnmqwertyuiopasdfghjklzxc The Landscape has  changed –   Cases and  Regulations 

vbnmqwertyuiopasdfghjklzxcvbnmqw  

Records Management    04.09.2008    Mario Rieger   

ertyuiopasdfghjklzxcvbnmqwertyuiop  

asdfghjklzxcvbnmqwertyuiopasdfghjkl zxcvbnmqwertyuiopasdfghjklzxcvbnm qwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh

THE LANDSCAPE HAS CHANGED: CASES AND REGULATIONS 2001 – 2005 While regulations governing the retention and management of corporate records have long been around, the last four years have brought about dramatic changes in how corporations approach this aspect of their business. Since 2001, we have been witness to high-profile cases in which corporate records and more specifically, corporate records management were at the very heart of the cases; Arthur Andersen, Rambus v. Infineon, Zubulake v. UBS Warburg and most recently Coleman Holding v. Morgan Stanley. During this same time, we have seen the onslaught of legislation that either directly or indirectly impose certain requirements on the management of corporate records; Gramm-LeachBliley, USA PATRIOT Act, Sarbanes Oxley, HIPAA, Notification of Risk to Personal Data Act, and FACTA, along with numerous state legislation. A. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996.1 The regulations apply to what are called “covered entities;” healthcare providers, health plans and healthcare clearinghouses that transmit any health information in electronic form in connection with a transaction covered under HIPAA. The regulations are made up of three distinct parts: transaction standards, privacy and security. B. USA PATRIOT Act The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act)2 requires all “financial institutions,” now broadly defined, to establish anti-money laundering programs. Such “financial institutions” include banks and bankers, brokers, insurance companies, and individuals involved in real estate closings, to name a few. C. Gramm-Leach-Bliley

Mario Rieger

Digitally signed by Mario Rieger DN: cn=Mario Rieger, o, ou, email=mario_rieger@w eb.de, c=US Reason: I am the author of this document Date: 2009.07.24 15:00:36 +02'00'

The Gramm-Leach-Bliley (GLB) Act of 19993 requires financial services organizations to create privacy policies, which they must share with their customers,

1

and governs how information can be shared within and between institutions. D. Sarbanes-Oxley Act The Sarbanes-Oxley (SOX)4 Act affects all public companies, whose stock is traded on United States exchanges. Section 302 requires executives to personally certify the validity of financial statements. Section 404 requires documenting all critical operational controls, assessing the effectiveness of these controls over financial reporting, and subjecting the assessment report to the scrutiny of independent auditors. E. NORPDA Under the Notification of Risk to Personal Data (NORPDA) Act5, every United States business and government entity must notify customers in the event of a network security breach that would cause the disclosure of personal nonpublic data. F. FACTA The Fair and Accurate Credit Transaction Act of 20036 added new sections to the federal Fair Credit Reporting Act, intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights disclosure are included in FACTA.

2