FACTA intended primarily to help consumers fight identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. Companies that maintain consumer information (individually identifiable financial information) must take responsibility for properly disposing of this information through shredding or other means.
For more information visit Fair Credit Reporting Act or Information on the FACTA Disposal Rule.
The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities firms, and insurance companies to consolidate.
The Gramm-Leach-Bliley Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution’s products or services.) This plan must include:
For more information visit The Gramm-Leach Bliley Act.
The HITECH Act covers regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. This Act was passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). For more information visit Understanding HIPAA for Covered Entities.
HIPAA is designed to protect patient health information.The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information for whatever period such information is maintained by a covered entity, including through disposal.
The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. Changes in HIPAA made in 2009 require more extensive policies and procedures than was previously the case. Information is available concerning HIPAA Compliance at Understanding HIPAA for Covered Entities.
This legislation is an amendment to the Civil Rights Act of 1964 passed as a result of the U.S. Supreme Court’s decision in Ledbetter vs. Goodyear Tire & Rubber Co. This Act restarts the 180-day statute of limitations for complaints to Equal Employment Opportunity Commission (EEOC) alleging pay discrimination each time a new “discriminatory” paycheck is issued. Retroactively effective to May 28, 2007, the Act holds that discriminatory pay decisions reoccur each time wages, benefits, or other compensation are paid. Therefore the 180-day time period (300 days if charges are also covered by state or local anti-discrimination laws) for employees to file EEOC charges against their employers is restarted each time employees are paid. Printable version of the complete BIS Records Control ALERT.
For the complete Act visit The Lilly Ledbetter Fair Pay Act.
PCI is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
To find out more about PCI compliance visit the PCI Security Standards Council
The FTC Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. The rule became effective on January 1, 2008 with full compliance among covered entities originally required by November 1, 2008. The Commission has issued several enforcement policies delaying the implementation of the rule, including this most recent delay. This delay is to allow Congress time to design and pass legislation that will deal with unintended consequences caused by implementation of the Red Flags rule as it is currently drafted. Are you complying with the Red Flags Rule? or watch the FTC video.
The primary effect of this legislation is to eliminate the “I didn’t know” defense for management. Because Sarbanes Oxley mandates management’s periodic duty to accurately report the state of the entity, accurate records must be kept to document management’s understanding of that state.
Compliance is required for audits and reviews completed on or after October 31, 2003.
Accounting firms must retain for seven years certain records relevant to their audits and reviews of issuers’ financial statements. Records to be retained include an accounting firm’s workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.
For more information, go to Final Rule: Sarbanes-Oxley Act of 2002.
It has been adopted by all but 3 states (New York, Illinois, Washington). The states that have not adopted the UETA have their own laws relating to the legal status of electronic records. UETA
Would you like a more detailed business records retention schedule customized for your records? Contact BIS!