Evaluate your RIM program.
Download the ACS RIM Program Self-Audit.

Regulatory Responsibility

The responsibility to guard and maintain active and archival information for your organization has never been greater. Regulatory requirements have been introduced and/or modified to more clearly define roles and responsibilities for information management, as well as outline penalties for noncompliance.

Here are a few of the key regulations affecting the records and information management industry that may impact your organization:

The Gramm-Leach-Bliley Act
The Sarbanes Oxley Act
HIPAA
FACTA

The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB), also known as the Financial Modernization Act of 1999, is aimed at financial institutions and includes provisions to protect consumers' personal financial information held by these companies. It is enforced by eight separate federal agencies and the states. The GLB Act provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

Financial Privacy Rule
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.

Safeguards Rule
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

Pretexting Provisions
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."

Are you in compliance with GLB storage requirements?
Today's interpretation of Gramm-Leach-Bliley in relation to data security extends beyond your storage device alone and, in fact, encompasses a company's policies and procedures as well as the hardware that maintains the storage infrastructure. When it comes to policies and procedures, your storage system should be protected from any and all outside and unauthorized access. It is important that you define who can access which data, and under what circumstances. Access to sensitive customer information should be logged to help provide accountability and provide a deterrent to insiders that threaten customer privacy. Your actual storage system should actually be secondary. As long as it's protected from unauthorized access, and you know who has permissions, when someone accessed information, and why, your company will be able to conduct business, even with Gramm-Leach-Bliley in place.

The Sarbanes Oxley Act

The Sarbanes-Oxley Act (SOX) was signed into law on July 30, 2002 in response to corporate scandals such as Enron, WorldCom and . Sarbanes-Oxley has been called by many the most far-reaching U.S. securities legislation in years. The Act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession. Now, all companies required to file periodic reports with the Securities and Exchange Commission (SEC) have new duties for reporting and corporate obligation.

Non-compliance comes with significant penalties. For example, altering, destroying, concealing or falsifying records or documents with the intent to influence a federal investigation or bankruptcy case is subject to fines and up to 20 years imprisonment.

For more information visit the Securities and Exchange Commission and Sarbanes Oxley 101 websites for full details of the Act.

HIPAA

The American Health Insurance Portability and Accountability Act (HIPAA) took effect on April 14, 2003 and is a set of rules to be followed by health plans, doctors, hospitals and other health care providers. HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

Standardization of electronic patient health, administrative and financial data
Unique health identifiers for individuals, employers, health plans and health care providers
Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

In the health care and medical profession, the great challenge that HIPAA has created is the assurance that all patient account handling, billing, and medical records are HIPAA compliant. Some provisions of the HIPAA involve patient / hospital interaction. For example, patients must be able access their record and correct errors and must be informed of how their personal information will be used. Other provisions involve confidentiality of patient information and documentation of privacy procedures. It is these provisions that have led to regulation-specific software updates, specialist consulting, and in some cases complete overhauls of medical billing and records systems. When regulations are not followed, HIPAA calls for severe civil and criminal penalties, including:

fines up to $25K for multiple violations of the same standard in a calendar year
fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. More details regarding compliance schedules can be found on the Compliance Calendar on the Status of HIPAA Regulations.

FACTA

On June 1, 2005, the FTC's rule on the proper storage and disposal of certain "consumer information" went into effect. This rule was issued by the FTC as part of its jurisdiction under the Fair and Accurate Credit Transactions Act or FACTA. FACTA became law on December 4, 2003. enhanced the ability of consumers to combat identify theft, to increase the accuracy of consumer reports, and to allow consumers to exercise greater control regarding the type and amount of marketing solicitations they receive. It also restricts the use and disclosure of sensitive medical information that is contained in a consumer report. In addition, to promote increasingly efficient national credit markets, FACTA establishes uniform national standards in key areas of regulation regarding consumer report information.

This latest FACTA rule requires any business "that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose" to "properly dispose of such information or compilation." The rules for what constitutes "consumer information" and its proper disposal can be confusing at best and the penalty for non-compliance can be steep. Go online for the FTC's final version of its FACTA disposal rule.