A comprehensive federal data privacy law in the United States has never been closer to reality. Even with bipartisan and bicameral support, it still has many obstacles to overcome to get through Congress. The most recent hurdle was making it out of the House Committee on Energy and Commerce, which sent the bill to the full House for consideration after numerous compromises led to a 53-2 vote to advance. The following is a big picture overview of the ADPPA in its current form.

Who Supports/Opposes it, and What are the Major Points of Contention?

Proponents of the bill cite the need for comprehensive data privacy legislation at the U.S. federal level to “create a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms.”[1] In addition, many companies in the business community also support the law as a way to create a national standard as opposed to a patchwork of different state laws.

Preemption of state law is a major point of contention. Section 404 (b)(1) specifies that:

No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.[2]

Some exceptions to this preemption principle are found in Section 404 (b)(2), which generally include consumer protection laws of general applicability, civil rights, employee or student privacy, data breach notification, and contract or tort laws, to highlight a few. Some specific laws are also called out in Section 404 (b)(2), including the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, as well as section 1798.150 of the CCPA on consumer actions based on personal information security breaches.

The California Privacy Protection Agency (CPPA) Board is one of the most vocal opposers of the ADPPA, arguing that it preempts important provisions of the CCPA and CPRA. The House Committee on Energy and Commerce sought to lessen the impact on California by noting in amended Section 404 (b)(3) that the CPPA may enforce the ADPPA “in the same manner it would otherwise enforce the CCPA,” but this concession didn’t resolve the CPPA’s preemption concern. In a letter sent to U.S. House Speaker Nancy Pelosi, D-California, the CPPA discusses how the CPRA sets a “floor” on privacy protections, allowing for stronger privacy rights but not weaker ones. They continue that the ADPPA is below the CPRA floor, weakens the privacy rights of C.A. citizens, and that it’s a ceiling limiting the extension of privacy rights instead of a floor. A more in-depth analysis of the argument against preemption can be found here.

The private right of action is also a point of contention. The US Chamber of Commerce argued that a private right of action will “encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.”[3] Others argue that the private right of action is too limited as currently drafted because there is a right-to-cure process for most violations and because arbitration is mandatory. An analysis of the private right of action can be found here, which includes an opinion about its perceived weakness as currently drafted.

Who is Regulated?

“Covered entities” include “any entity or any person…that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and

• is subject to the Federal Trade Commission Act [or]
• is a common carrier subject to the Communications Act of 1934… or
• is an organization not organized to carry on business for their own profit or that of their members; and

includes any entity or person that controls, is controlled by, or is under common control with another covered entity.”[4]

Exclusions are listed in (SEC. 2)(9)(B), which include federal, state, and local governmental entities and entities collecting, processing, or transferring covered data on their behalf.

What types of data are regulated?

“Covered data” is defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers.”[5] Exclusions in (SEC. 2)(8)(B) include de-identified data, employee data, publicly available information; or “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”

What are some noteworthy provisions?

A Data Minimization provision under (Title I)(Sec 101) prohibits covered entities from collecting, processing, or transferring covered data unless that activity is “limited to what is reasonably necessary and proportionate to-

• provide or maintain a specific product or service requested by the individual [or]
• deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the covered entity; or
• effect a purpose expressly permitted under subsection (b).”

Permissible purposes under subsection (b) include several related to carrying out the transactions and services requested by the individual, such as authenticating users of a product or service or fulfilling a warranty service. Permissible purposes also include purposes unrelated to the transaction, like preventing security incidents, fraud, and illegal activity or complying with legal obligations.

Section 102 establishes some loyalty duties for covered entities, laying out several restricted data practices. Most significantly it restricts collection or processing of sensitive personal data except where its “strictly necessary to provide or maintain a specific product or service requested by the individual to whom the covered data pertains, or to effect a purpose enumerated in section 101(b)(1) through (10).” Notably missing are the purposes related to marketing or advertising in 101(b)(10) and (11). Section 102 also addresses collection, processing, or transferring of social security number and aggregated internet search or browsing history subject to exceptions.

Section 103 discusses Privacy by Design, requiring covered entities to “establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data.” The highlights of this requirement involve mitigating privacy risks and implementing reasonable training and safeguards to promote compliance.

Title II deals with Consumer Data Rights, which include many of the foundational rights found in other privacy laws such as the GDPR and CCPA. For example, section 202 discusses transparency, requiring covered entities to publicly share their privacy policy that spells out data collection, processing, and transfer activities. Section 203 grants individuals certain rights concerning access, correction, deletion, and portability of their covered data. Section 204 deals with individuals’ rights to consent and to withdraw consent.

How are Covered Entities Held Accountable?

Title III has several requirements geared towards accountability. Section 301 requires executives to certify within one year of enactment of the Act that there are reasonable controls to ensure covered entities’ compliance and reporting structures in place. It also requires covered entities to designate a privacy officer. Title III additionally contains technical compliance requirements along with requirements for the Federal Trade Commission to review controls. More robust controls are also required based on the size and nature of the information collected by covered entities.

Who will Enforce it?

Title IV, section 401 specifies compliance will be carried out by a new Bureau of Privacy organized under the Federal Trade Commission. Section 402 also allows civil enforcement by state attorneys general or state privacy authorities within federal district courts where the interest of the residents of that state could be adversely affected by the activities of a covered entity. Finally, section 403 provides a limited private right of action to individuals beginning four years after the Act takes effect (which was already discussed above).

Conclusion

The likelihood of passing this law still may be a long shot based on how far it still needs to go to get through Congress and who is responsible for initiating the next steps. If it doesn’t pass in this Congress, many believe it will be years before a federal privacy law is seriously discussed again, especially if party control changes in the midterms. Regardless, though, it’s significant that the priority of federal privacy law is gaining momentum. Bipartisan and bicameral support of an idea is a giant leap forward and sets a new stage for privacy law in the United States. The ADPPA will also remain important because, in its current form, it is a much stronger piece of legislation than any prior federal privacy law that has received serious discussion in Congress and likely sets a new, more stringent baseline for future legislative debate. If privacy law hasn’t yet impacted your organization, it’s likely to soon. If you need help strategizing how to minimize privacy risks in your records retention schedule or RIM program, Zasio can help.

[1] “HOUSE AND SENATE LEADERS RELEASE BIPARTISAN DISCUSSION DRAFT OF COMPREHENSIVE DATA PRIVACY BILL” Jun 3, 2022 Press Release https://energycommerce.house.gov/newsroom/press-releases/house-and-senate-leaders-release-bipartisan-discussion-draft-of

[2] H.R.8152 – American Data Privacy and Protection Act Section 404 (b)(1) as of 8/3/2022. 117th Congress (2021-2022). https://www.congress.gov/bill/117th-congress/house-bill/8152/text

[3] “U.S. Chamber Warns It Will Oppose Any Privacy Legislation That Creates a Blanket Private Right of Action.” May 31, 2022. https://www.uschamber.com/technology/data-privacy/u-s-chamber-warns-it-will-oppose-any-privacy-legislation-that-creates-a-blanket-private-right-of-action

[4] H.R.8152 – American Data Privacy and Protection Act (SEC. 2)(9)(A) as of 8/3/2022. 117th Congress (2021-2022). https://www.congress.gov/bill/117th-congress/house-bill/8152/text

[5] ID at (SEC. 2)(8)(A).

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Privacy may very well be the fastest-growing area of law so far in the 21^st century. While the US, at the federal level, has resisted a broad privacy law similar to the GDPR, momentum is steadily gaining for privacy legislation at the state level. This blog explores US privacy law’s recent developments from a records and information management (RIM) perspective.

I. Recently Enacted Privacy Legislation

The number of new bills introduced in 2020 broadly regulating privacy illustrates the subject’s popularity. In 2020 there were more than 20 privacy bills introduced at the state level in the US.[1] Federally, there were dozens of bills and discussion drafts introduced during the last two sessions of congress.[2] While most of the recent broad privacy bills met their demise in legislative committees, here are some of the ones that survived and became law.

California’s Privacy Rights Act (CPRA)

The biggest development in US privacy law in 2020 was the passage of the CRPA by ballot initiative during the November election. The CPRA amends the California Consumer Privacy Act (CCPA) in major ways. Here is a summary of these changes:

• New Privacy Authority Created: The CPRA creates the California Privacy Protection Agency (CPPA) and grants it the authority to enforce the act by making rules and investigating non-compliance.[3]
• Creates New Sensitive Personal Information Category: The CRPA provides stricter requirements for sensitive PI, with stricter use and disclosure provisions than regular PI, including Consumers’ ability to restrict use and disclosure for some purposes. Examples of sensitive PI include social security numbers, identification numbers from identification cards such as passports and licenses, financial account information, race, ethnic origin, religion, and genetic information, and precise location information, among others.[4]
• Expanded Rights for Consumers: In addition to their ability to restrict the use of sensitive PI, consumers have several new and expanded rights under the CRPA. These include new rights to correct inaccurate PI, expanded rights to delete PI from third parties, and expanded/modified rights to know, opt-out, notice of collection, and request deletion of PI.[5]
• Revised Regulated Party: The CRPA expands regulated business activities to include parties receiving PI. The CCPA only included parties who buy, sell, or share PI. The CPRA also expands regulated business activities by revising the deriving at least 50 percent of income from selling PI threshold to include profits from sharing PI. However, the CPRA excludes many small businesses previously covered under the CCPA by increasing the threshold number of consumers or households from 50,000+ to 100,000+.[6]
• PI Retention Changes: CPRA has some retention changes similar to requirements in the GDPR. Under the CPRA, businesses now are prohibited from keeping PI unless it’s reasonably necessary to meet a disclosed purpose. Further, businesses must specify the criteria used to determine the retention period for PI categories or the retention period itself at the time of collection.[7]

Like the CCPA, there is a window before the CPRA becomes effective, allowing businesses time to implement compliance measures. The CPRA will become effective on January 1, 2023.

Maine Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301)

Maine passed a privacy act in 2019, restricting the collection, retention, use, disclosure, sale, or access to customer PI by broadband internet access services. This act provides exceptions, including consent, providing services related to the purpose for collection, direct advertising, and several others.  It also includes requirements for security and protection of consumer PI lawfully collected.[8]

Nevada Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A)

Nevada revised its PI security law by enhancing requirements for state government controls in the “collection, dissemination and maintenance” of PI.[9]

II. U.S. Privacy Law Trends Leading Into 2020

The year 2020 highlighted an ongoing trend in U.S. privacy laws. For reference, the following includes a summary of additional privacy laws generally applicable to businesses and employers that impact PI retention:

Illinois Biometric Information Privacy Act (740 ILCS 14/)

Section 15 of this law on “Retention; collection; disclosure; destruction” requires private entities possessing biometric identifiers to have a retention schedule specifying disposition “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”[10]

Maryland: COMAR 09.12.22.01

This law from Maryland requires employers to retain PI medical information “only for the time needed to accomplish the purpose for access.”[11]

New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act): NY CLS Gen Bus 899-aa and 899-bb

The SHEILD Act requires businesses owning or licensing computerized data containing PI to dispose of the PI “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”[12]

Texas: Tex. Bus. & Com. Code 503.001

This Texas legislation requires persons possessing biometric identifiers of individuals collected for a commercial purpose to “destroy it within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires.”[13]

Utah: Utah Code Ann. 34-46-203

Utah’s latest enacted privacy legislation requires employers to destroy information collected during a hiring process within “two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant.”[14]

Washington: Rev. Code Wash. 19.375.020

This recent Washington law requires that possessors of biometric identifiers collected for commercial purposes retain them for “no longer than is reasonably necessary to… provide the services for which the biometric identifier was enrolled.”[15]

Federal Children’s Online Privacy Protection Rule: 16 CFR 312.10)

This rule by the US Federal Trade Commissions requires operators of websites or online services to retain PI collected from children for “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”[16]

Conclusion

The above is just a sampling of privacy laws and many other US privacy laws generally regulate businesses and specific industries. If you need help strategizing how privacy requirements impact your RIM program, Zasio Consulting is here to help, contact Zasio.[17]

 

[1] Arizona (SB1614, HB2729), California (CPRA passed), Hawaii (HB 963), Illinois (SB2263, SB2330, HB5603), Maryland (HB0249, HB0784, HB1656), Minnesota (HF 3936), Nebraska (LB746), New Hampshire HB1236), New Jersey (A2188, A3255), New York (S224, S5642), South Carolina (H4812), Virginia (HB473), Washington (SB6281), Wisconsin (AB870, AB871, AB872).

[2] DATA Privacy Act (H.R.8749), Privacy Office Enhancement Act (H.R.5678), Consumer Online Privacy Rights Act (S.2968), Privacy Score Act of 2020 (H.R.6227), Social Media Privacy Protection and Consumer Rights Act of 2019 (S.189), Privacy Bill of Rights Act (S.1214), Protecting Education Privacy Act (H.R.2724), Moving Americans Privacy Protection Act (S.1302), Passenger Privacy Protection Act of 2019 (S.1206), Genetic Information Privacy Act of 2019 (H.R.2155), Secure Data and Privacy for Contact Tracing Act of 2020 (H.R.7472), Consumer Data Privacy and Security Act of 2020 (S.3456), Online Privacy Act of 2019 (H.R.4978) to name a select few.

[3] The California Privacy Rights Act (CPRA) Section 24. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf

[4] ID at sections 10 and 13.

[5] ID at sections 3A, 5-12.

[6] ID at section 14

[7] ID at sections 4, 12(7)

[8] Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301). https://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=9&snum=129

[9] Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A) Section 210.  https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec210

[10] Illinois Biometric Information Privacy Act (740 ILCS 14/) Sec. 15 (a).  https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

[11] COMAR 09.12.22.01 (C).  http://www.dsd.state.md.us/comar/comarhtml/09/09.12.22.01.htm

[12] NY CLS Gen Bus 899-bb (2)(b)(ii)(C)(4). https://www.nysenate.gov/legislation/laws/GBS/899-BB

[13] Tex. Bus. & Com. Code 503.001 (c)(3),(c-1). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm

[14] Utah Code Ann. 34-46-203 (2). https://le.utah.gov/xcode/Title34/Chapter46/34-46-S203.html?v=C34-46-S203_1800010118000101

[15] Rev. Code Wash. 19.375.020 (4)(b). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020#:~:text=RCW%2019.375.020-,Enrollment%2C%20disclosure%2C%20and%20retention%20of%20biometric%20identifiers.,identifier%20for%20a%20commercial%20purpose.

[16] 16 CFR 312.10. https://www.ecfr.gov/cgi-bin/text-idx?SID=d2d4616077fe505e154978fae9519ff3&mc=true&node=pt16.1.312&rgn=div5#se16.1.312_110

[17] https://www.zasio.com/consulting-services/

 

Whistleblower Directive Quick Overview

The EU recently approved a new Whistleblower Directive promoting common minimum standards designed to enhance protections for Whistleblowers and prevent retaliation for participation in whistleblowing activities. The directive allows for reporting of breaches of law both internally within companies, and externally, directly to national and EU authorities, and requires the creation of channels and procedures for reporting and following up on reports. The directive applies to legal entities in the public sector, and also private entities with 50 or more employees, annual business turnover or annual balance sheet total of EUR 10 million or more, or entities of any size operating in financial services, or vulnerable to money laundering or terrorist financing activities.

Impacts on RIM

Article 18 of the new Directive requires that processing of personal data for whistleblowing activities be in accordance with the EU GDPR. This makes the activities subject to GDPR (5)(1)(e) requiring that they be identifiable for no longer than the purpose for which they are processed/collected. In addition, GDPR (39) requires ensuring a level of appropriate security and confidentiality, including preventing unauthorized access, which includes within networks and information systems. In addition to the GDPR requirements, the new Directive specifies that personal data not relevant for the handling of a specific case shall be immediately deleted.

Member States will have until May 15, 2021 to enact/amend laws and regulations necessary to comply with the new Directive. Several European countries already have whistleblower laws, and some have provisions that compel the destruction of records that identify a whistleblower within a short period. For example, Article (16)(5) of Hungary’s whistleblower law requires that for “investigations revealing that the whistleblower report is unfounded or that no further action is necessary, the data relating to the whistleblower report shall be deleted within 60 days after the end of the investigation.” Countries with requirements like Hungary’s will need to re-evaluate whether allowing retention after the close of the investigation is permissible under the new directive. As the EU countries are evaluating their laws and making revisions in response to the New Directive, employers and companies will need to monitor the changes and adjust their records retention schedules accordingly. For example, where Companies currently retain whistleblower records containing personal information for a short period past the close of a case for audit purposes, if the “immediately deleted” language from the New Directive flows through to new/revised country laws, they may be required to discontinue this practice.

In addition to impacting records retention schedules, these regulations also require setting up processes to adequately protect whistleblowers, including records that identify them, and procedures for breaches of related personal information. Re-evaluating policies, procedures, and recordkeeping systems will be necessary to ensure that the protections required are implemented. If you need help strategizing how to prepare for requirements like the new EU Whistleblower Directive, or even more established requirements like the GDPR, contact Zasio today.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Many Records and Information Management (RIM) professionals hear the question, “Why is RIM necessary?” My short answer is that effective RIM saves your company money, makes it more efficient, and reduces its risk. I want to expand on that answer by listing some of the ways a good RIM program can work for you.

Disposition of Records

So why not just keep everything?  One reason is for certain types of records, disposition is required by law. For example, in some locations, it’s mandatory to dispose of Personally Identifiable Information after a short period. Also, disposition of records reduces the quantity of information to search when looking for records. Less information translates into increased retrieval efficiency for employees. It also reduces the risk that excessive billable hours will be needed to identify relevant information for discovery requests. Both are examples of how managing the growth of information reduces risk and increases efficiency.

Records Retention Schedules

A foundation for a good RIM Program is a Records Retention Schedule (RRS). When properly constructed and implemented, they allow for the reasonable disposition of records. Otherwise, regulators and courts might criticize the intent behind records disposition activities. To be reasonable, disposition should be based on business needs, legal requirements, and common practice.

Legal Requirements

RIM programs promote compliance with legal requirements. How? They research and analyze legal requirements to ensure proper retention, handling, and disposition of records. Proper retention of records prevents sanctions and other penalties for non-compliance. Sanctions for improper RIM can be significant, reaching up to seven-figures for certain offenses.

Legal Holds and RIM Policies

Along with the RRS, it’s necessary to create a legal hold policy. The hold delays normal disposition for records involved in pending or anticipated litigation. Also, rolling-out the RRS requires creating and revising supporting policies and procedures. Once drafted, training is necessary to educate current and future employees about the policies. It’s also necessary to conduct audits to ensure compliance with the policies.

Disposition Days

One way many companies promote compliance is to implement “disposition days.” These are days dedicated to organizing and disposing of records and other information. The RRS guides disposition and policies exclude records that are subject to legal holds.

Email Management

One common source of growth in records and information is email. However, email itself is not a record; it’s a tool used to transmit records. Avoid using it as a storage system, so it doesn’t become a dumping ground. Policies, procedures, and guidelines will help employees properly file records from email. Retain routine email short term unless needed for business reasons.

Business Continuity

RIM programs help reduce risks caused by disasters. They do this by planning to ensure continued operation if disaster strikes. Vital records needed for continued operation should be identified. Then, steps are taken to protect that information against the risks for potential disaster types.

Remember, Zasio is here to help with your RIM needs. Contact our Consulting department today for help kicking off or refreshing you RIM program.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Developing a Disaster Plan

Do you have a records management disaster plan? Headlines about natural disasters provide a stark reminder that we can’t control our environment. However, if we plan for disasters and assess risks, we can help ensure business continuity if disaster strikes.

To plan for disaster, analyze the different types of potential disasters and then prepare to mitigate loss. For a records manager, this means finding a way to limit interruption to vital records. It also means taking steps to mitigate the disaster’s impact to the records program.

Vital Records

You need vital records for your business to operate. Without them, you can’t continue to conduct business and you can’t determine assets and liabilities. For business to continue, you need to identify vital records and safeguard them from the impacts of disasters. This should be a major component of any disaster plan. You might, for example, keep vital records in a records management software and have the data backed up so you don’t lose any records.

Mitigating Disaster Types

A risk assessment should identify possible disasters, estimate their likelihood, and consider their consequences. This analysis allows you to develop plans as well as strategies to take if those disasters occur. Disaster likelihood varies based on several factors, many linked to location and climate. For example, the likelihood of a hurricane is greater in the Southeast United States than in the Northwest. Likewise, the likelihood of flooding is greater for locations in a flood plain. For companies with a centralized location, it’s best to have a disaster analysis based on that location. For companies with a larger geographic footprint, a high-level plan framework at the national or international level can help local branches develop local plans.

Whether a business is centralized, national, or international, Records Managers can use The Seven Classes of Disasters as a tool to brainstorm relevant disasters/events.[i] The classes encompass seven scenarios, which range from the most severe to minimal. You can see a simplified version of the classes in the chart below. [ii]

The chart allows you to brainstorm potential local disasters based on general disaster types. Then, you can develop and test procedures for each event. For example, if your brainstorming type 2 disasters and you’re located near a fault line, you’ll need to list severe earthquakes. Then plan to mitigate that event based on a risk analysis. It’s important that you develop procedures that include contingency plans to account for multiple situations.

Each step up in the scale indicates a more severe event, but the likelihood the event will occur decreases. This makes successful planning more difficult, more expensive, and less likely to be needed the higher you go up the scale. From a cost to risk perspective the best strategy to work around this is to plan from the bottom up. Your risk profile will guide how high up the scale you can cover. Typically, this doesn’t require spending a lot of time planning for a class 1 disaster. This is due to the high cost to plan, low likelihood the event will occur, and low success rate should that disaster happen.

Plan Enactment and Support

Even if your plan is perfect, if you don’t enact it properly, it’s not likely you’ll stabilize your processes after a disaster. You must coordinate logistics, implement the plan, and train so everything is ready before the disaster occurs.

Plan Review and Maintenance

While the risk of many of the larger scale disasters remains constant, many factors such as responses, technology, and personnel will continue to change. This means it’s vital to conduct at least an annual review and routine testing.

Conclusion

A good disaster recovery plan can be the difference between a company surviving a disaster or going bankrupt. Even with a solid plan, a disaster will likely result in recovery efforts, but the hard work and resources devoted to the plan act as an insurance policy. The key is to keep the business running and ensure you’ve defined the process for recovery efforts in the aftermath of the disaster.

[i] Mary F. Robek, Gerald F. Brown, & David O. Stephens, Information and Records Management, Document-Based Information Systems (1^st Ed. 1996). Page 71, Table 4.1.

[ii] Modified from Id.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Records managers often overlook laws that regulate record formats. Most companies store the bulk of their records electronically—or they’re moving in that direction. This makes it important to consider legal requirements about records formats.

Permissive Format Regulations

The good news is that most format regulations allow for electronic recordkeeping if you meet certain conditions. In the US, the Uniform Electronic Transactions Act, which is in effect in 47 states, is a good example of standard language found in many domestic and international permissive format requirements. The main components usually include 1) accurate and trustworthy information and 2) accessibility.

Accurate and Trustworthy Information

The electronic version must accurately reflect the finalized version of the record. This condition recognizes that it’s easy to alter and override many formats of electronic records. It also recognizes that original versions of electronic records don’t exist in the same context as paper records.

A crucial element for accuracy is information integrity, which includes ensuring that the record has not been altered. While evidentiary rules can also apply, we’ll only include a couple of general factors that impact accuracy:

• Authenticity: Someone with knowledge of the records that can authenticate the integrity of the information.
• Security: Security measures in place to protect the information from tempering.

 

Accessibility

The records must remain accessible. This condition recognizes that technology becomes obsolete and data can become corrupt over time. However, information must remain accessible throughout its required retention. A few steps to help meet this requirement include:

• Migrating records from legacy systems into new systems so they are readable.
• Using a format that can be reproduced into hard copy within a reasonable time.
• Backing up electronic records to prevent loss through degradation.

 

While many of the permissive format regulations use slightly different terminology and include other information, such as exceptions for contractual arrangements, specific evidentiary situations, and more, this provides a summary of the overall requirements for many of these regulations.

Mandatory Format Regulations

Mandatory format regulations require that a record be kept in a particular format. While rare, in many jurisdictions and industries, these regulations impact common records. Identifying and properly interpreting and applying these types of requirements is crucial to ensure compliance with the law. A few examples of mandatory format requirements include:

• China’s Implementation of the Methods for Management of Invoices Notice requires that invoices be kept in stub form.
• In the United States, 17 CFR 240.17a-4 requires that Members of National Securities Exchanges, Brokers, or Dealers must retain certain records related to their securities activities in micrographic or electronic storage media exclusively in a non-rewriteable, non-erasable format.
• Switzerland’s Code of Obligations requires that annual reports and audit reports be retained in a written form and signed.

 

Unfortunately, finding these requirements can be a bit like finding a needle in a haystack. Unlike the permissive requirements, which often have their own dedicated law, mandatory format regulations are usually found buried in the text of laws alongside requirements to retain records. Identifying them requires extensive research.

Zasio’s Versatile Retention software can help to make this process easier. Our Research Team of lawyers and paralegals conduct research and categorize relevant format requirements so they can easily be searched, reviewed, and applied. In addition, our Consulting Team offers customized reports detailing format requirements and how they impact our clients.

All enterprises, whether they be commercial, governmental, charitable, or any other structure, are required to follow information management regulations in some way; there are even laws regulating the president of the United States.[1] This article discusses several regulatory requirements that impact enterprises during information creation, custodianship, archival and disposition cycles. Good practice requires the identification of information types that constitute official records and the creation of a Records Retention Schedule (RRS) to manage the official records. RRS’s specify (among other things) how to properly retain records and what steps are necessary in retaining and disposing of records to comply with regulations.[2] The following will briefly discuss requirements impacting the duration of records retention, including privacy laws and, even though they do not mandate a definitive retention period duration, statutes of Limitations (SOLs). Finally, this article will then introduce and describe several handling and ancillary requirements related to records retention.

Duration of Retention Background Explanation: Retention Laws and Regulations

Records retention requirements mandate the retention of records based on regulated parties.  Tens of thousands of international and domestic records retention laws exist that either generally require the retention of records or set defined periods of time to retain records.  These have been passed by legislatures, agencies, self-regulatory organizations and other regulatory bodies and cover both records common to all companies, like employment and accounting records, and records unique to specific industries like records of nonconforming products for manufacturers. Often times retention requirements are accompanied  by a number of handling and ancillary requirements that need to be considered and followed to comply with the law.

Duration of Retention Background Explanation: Privacy / Personally Identifiable Information

A unique category of records retention requirements are those regulating the retention of Personally Identifiable Information (PII). These requirements deal with the retention of records, but instead of setting the minimum amount of time to keep records they set a maximum retention period, compelling the destruction after that period of time.

• Broad vs. Specific PII Requirements: Some have a broad and generic retention period, a common example being to retain PII for no longer than is necessary based on the purpose for which the information was initially collected, while others are more rigid, defining types of PII and setting an exact retention time-frame. Similarly, some privacy requirements have broad and generic language about the regulated records, a common example impacts any record containing PII, while others specifically identify the exact types of records governed. Where the regulations are broad and generic and not tied to a particular record type/code it is helpful to create a methodology to assure consistency in application. One method is to review an impacted RRS ahead of applying the regulations to identify the records that are believed to be impacted by or contain information within the scope of the broad mandates. The broad requirements will then be applied to the items identified in the methodology.
• Conflicts with Compelled Destruction Requirements: The majority of PII requirements have exceptions if the compelled destruction requirement conflicts with another law in that jurisdiction that requires a longer retention. For example France’s National Commission on Informatics and Liberty (CNIL) regulations generally require employers that file under the CNIL simplified standards to remove payroll data and time slips containing personal information after 5 years. However, France’s commercial code broadly requires retention of accounting related records including supporting records for a period of 10 years which arguably may include PII associated with payroll data. Because this particular CNIL requirement includes a provision that excludes information required to be retained by another law, the retention of PII for payroll accounting purposes, in accordance with the Commercial Code’s 10 year requirement may not be in contravention of the cited privacy requirement. Even without the ambiguity presented in the previous example, compelled destruction requirements present a major pain point for companies, limiting or complicating the retention of records based on business needs, common practice, or strategic needs like global harmonization efforts.

Duration of Retention Background Explanation: Statutes of Limitation

Statutes of limitation in and of themselves do not mandate the retention of records, but, rather, provide context for consideration in identifying appropriate retention periods. For example, a common US statute of limitations for contracts is 5-6 years which generally requires that an action based in contract be brought before the expiration of 5-6 years from the date the contract was signed. The problem with statutes of limitation is that it is easy to get caught in the “every possible contingency” mindset because there are hundreds of claims that could be relevant if extremely rare circumstance arise, but that will rarely be relevant to the business world.

• SOL Strategy:  For this reason, domestically and where a particular jurisdiction has an abundance of laws that govern the retention of records, a common strategy is to only rely upon SOLs where there are only a few retention laws on point, and where reasonable from a cost / risk perspective. It is also a good idea to analyze and then limit application of statutes of limitation to those deemed most relevant to a particular Company’s records, which usually consists of those related to written contracts, personal injury, products liability, discrimination, real estate, wage claims and tax. Otherwise, getting sidetracked by an every conceivable contingency analysis is likely.
• Spain SOL Example: There are recognized instances in which a statute of limitation creates a duty to retain records, similar to a definitive retention period. For example, Spain’s Supreme Court found that even through there was a record-keeping provision directly on point that required banks to keep accounting records which was interpreted to extend to deposit accounts for six years, that requirement provided only the minimum period. The court went on to discuss how the retention requirement did not relieve the bank from the burden of preserving records based on its own interest in defending against or bringing a suit. For this case the ruling meant that the Bank could not infer that the omission of records shows that the bank followed its own procedures not only when it came to its deposit accounts but in disposing its records which was narrow to the issue of Banks and Deposit accounts. However, with how broadly the court speaks about obligations created by Statutes of Limitations, in general, the trend has been to more cautiously apply statutes of limitations in Spain and in surrounding countries. The Spain case helps to explain the utility of retaining records based on Statutes of Limitations, which is where those records provide a defense to, or otherwise help defend and action where the statute of limitation has not expired.  If the bank had kept records showing that it had properly dealt with its deposit accounts it could have used that as a defense in that case.
• Lilly Ledbetter Example: The Lilly Ledbetter Act provides another example of a statute of limitation that directly impacts record-keeping by expanding the 3 year statute of limitations from the Equal Pay Act to start over every time a violating paycheck is issued.  Again, this is a statute of limitation, is not a records retention requirement, so it does not legally require that records be retained. However, the prudent approach is to retain records of compliance with the Equal Pay Act including pay slips to defend against claims should they arise which is why common practice is to keep these records for duration of employment plus 3 years.

Handling Requirements

Handling requirements deal with aspects of record-keeping beyond the period of time they need to be retained. The sub-categories that are helpful for information management include, for example, media and format restrictions or allowances, location and records movement restrictions or allowances, protection and access restrictions, and requirements to destroy records in a certain way. Requirements that are ancillary to handling and retention requirements also include sanctions for non-compliance with retention and handling requirements. A well informed information management strategy will take all of these into account when drafting records retention schedules (RRS) and policies.

• Destruction Requirements: These generally mandate the destruction of records after the legally specified retention period has expired or mandate a specific destruction method. Shredding is the most common, and some requirements get particular, for example some specify the shred size or require cross shredding. Other destruction requirements include burning, using chemicals to destroy records and different methods to wipe or destroy electronic data.  An example of a destruction requirement is the Business & Commercial Code of Texas which requires “businesses collecting sensitive personal information shall destroy or arrange for the destruction of customer records containing sensitive personal information … by: shredding; erasing; or otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.”[1] To follow the letter of the law in these instances records that have destruction requirements must be flagged so that when their destruction is due they can be disposed of properly.
• Records Location and Movement: These requirements impose restrictions or prohibitions on location and movement of certain records (e.g., must be retained in a certain location). These provisions tend to be associated with specific types of records and impose limitations such as to maintain records at the “head office,” “principal place of business,” or broadly within the jurisdiction in question and so forth.
  • Cross Border/Localization Distinction: A sub-type of the records Location and Movement category is Cross Border restrictions, which are typically associated with PII and prohibit moving data containing PII out of a particular country. More often than not there are conditions that can be met to move the data, however, sometimes the laws are rigid and do not allow PII to be transferred out under any condition.
  • EU Cross Boarder Example: A timely example of a conditional cross boarder / localization requirement are the European Union data protection requirements which only allow transfer of PII out of EU countries if certain conditions are met.  It is timely because one method relied upon historically for satisfying the standards for PII transfer, Safe Harbor, was recently overruled but EU’s Data Protection Agency and has been replaced by the Privacy Shield framework. To summarize, Privacy Shield is an agreement between the EU, the non-EU government and participating companies allowing for transfer of PII between boarders if certain requirements are met. These include transparency about PII being transmitted, compliance oversight by the EU and non-EU governments, sanctions for non-compliance, onward transfer restrictions and redress options for individual complaints.[2]  Another option for transferring data out of the EU is the Binding Corporate Rules which are internal rules adopted by participating enterprises that ensure “adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals within the meaning of article 26 (2) of the Directive 95/46/CE for all transfers of personal data protected under a European law.”[3] The final option is to utilize model contract clauses which are standard contractual clauses issued by the EU commission that can be used by enterprises to “offer sufficient safeguards as required by Article 26 (2).”[4] While the information presented above about the EU cross border options is brief and likely to change in the future, it provides a good example and introduction to the robust requirements surrounding cross boarder transfer in the EU.
  • Russia Localization Example: An example of a more ridged localization requirement is a new law in Russia which requires that personal data on Russian citizens must be kept on servers located within the territory of the Russian Federation. While it allows for a few exceptions, they all relate to circumstances necessary to achieve government goals, necessary for justice, or necessary for political, scientific, literary or creative activities. Russia’s Ministry of Telecom and Mass Communications has provided some additional exceptions for activities like making decisions based on the data and depersonalizing data as well as personal data obtained without solicitation or based on a transaction between legal entities. These clarifications are still being interpreted, but the consensus thus far is that so long as the data exists on a server in Russia, copies or the equivalents of the data can be transferred outside the country. Though there is a workaround to transferring the data across borders, the requirement to keep the server with the original data within Russia still presents a pain point for many enterprises doing business in Russia.
• Records Media / Format: These requirements impose legal obligations or allowances to retain records in a particular format. The most common are permissive provisions permitting an electronic format so long as certain conditions are met, though there are some requirements to keep records in a specific format, usually hard copy or paper. An example of a hard copy requirement is Illinois Administrative Code which requires that originals of pollution filings including original pen and ink signatures be retained[5]. Like the PII requirements, there are common laws that generally regulate these topics, such as Electronic Transactions Acts, Model Requirements for the Management of Electronic Records, Write Once Read Many (“WORM”) requirements, etc., which need to be followed.
  • Electronic Transactions Acts Example: An example of a permissive media / format requirement is the Uniform Electronic Transactions Act which has been passed by 47 states and allows for electronic retention of records so long as it “(1) accurately reflects the information set forth in the record after it was first generated in its final form as an electronic record or otherwise; and (2) remains accessible for later reference.”[6] Regulations related to “electronic transactions” are broadly stated to govern any record that could fall within the scope of that term. Because the regulation is not tied to a particular record type/series this is another scenario where a methodology is helpful to assure consistency in application.  For this purpose, a good plan is to review the schedule ahead of time to identify those records that are believed to be impacted by/contain information within the scope of the broad mandates so they can be applied consistently.
  • Protection: Another handling category requires that certain records have various protections. These include higher security and access restrictions, that they be duplicated and backed up for disaster recovery purposes, or even that they be stored in a controlled environment, meaning that temperature, humidity and isolation from pollution or water are taken into account. An example is found in a Canadian circular dealing with electronic income tax record-keeping which requires that data stored electronically on media that is re-writable be kept clear from hazards that could deteriorate or affect the media like temperatures outside of a moderate range, moisture, sunlight and even magnetic fields.
  • Sanctions: Sanctions are an ancillary aspect of retention requirements that impose penalties for non-compliance with record-keeping requirements including handling requirements. Punishments can vary from the most common, monetary fines, to the most extreme, criminal sanctions, including jail time if they are not followed. For example Cal Gov Code 12976 (a)  specifies that an employer that “willfully violates Section 12946 concerning record-keeping is guilty of a misdemeanor, punishable by imprisonment in a county jail, not exceeding six months, or by a fine not exceeding one thousand dollars ($1,000), or both.”[7]  Some fines can be significant, for example EU data protection laws have situations where fines are in the millions of dollars or that are calculated based on a percentage of the infracting companies’ revenue.[8] Knowing the sanctions is not strictly necessary so long as all requirements are complied with, although they can be considered in weighing the risks involved in making information management decisions and used as leverage in enforcing compliance. This is not to say that it is advisable to ever disobey a legal requirement, but sanctions can help not only to prioritize items with higher penalties but to provide backing and support for information management initiatives and projects.

Conclusion

In a typical client records retention schedule (RRS) approximately one-third to one-half of the schedule titles will be regulated in some way by a records retention requirement or impacted by best practice and potentially SOLs. While these numbers amount to a fraction of the RRS, , these are the records that are requested by regulators, requested during audits, or that may be needed to defend against/bring suit. Proper maintenance should consider not only retention periods but also handling requirements. If these records are not accounted for, the consequences may involve a wide range of sanctions ranging minor monetary fines to substantial monetary and criminal penalties. Fully considering and implementing the wide range of regulations pertinent to a enterprise’s RRS is crucial to minimizing risk.

Zasio is here to help, with several options based on client needs.  Our Versatile Retention software provides the relevant citations in an easy to use and apply format so that companies can create schedules and link laws themselves.  For clients who want more help Zasio Consulting offers RRS creation and consolidation services, and custom research, application, and recommendations services.    

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] Texas Business & Commercial Code 521.052 (b) (Supp. L. 2009).

[2] EU-US Privacy Shield Fact Sheet (July 2016) from the European Commission website (accessed October 4, 2016, 12:56 PM) http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf.

[3] Overview on Binding Corporate rules from the European Commission website (accessed October 4, 2016, 12:58 PM) http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm.

[4] Model Contracts for the transfer of personal data to third countries from the European Commission website (accessed October 4, 2016, 12:59 PM) http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

[5] 35 Ill. Adm. Code 101.1010 (c)(4)(s1b) (effective January 27, 2015).

[6] As an example of the UETA, I pulled language from the version published in Idaho code which uses the same language as the versions passed by other states.  Idaho Code 28-50-112 (a) (I.C., § 28-50-112, as added by 2000, ch. 286, § 1, p. 959).

[7] Cal Gov Code 12976 (a) (operative January 1, 1984).

[8] “European Commission – Fact Sheet – Questions and Answers – Data protection reform,” from the European Commission website (accessed October 4, 2016, 3:11 PM) http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm.

[9] For example, 3 CFR 102.110 requires the Executive Office of the President to retain self-evaluations of its programs considering enforcement of nondiscrimination on the basis of handicap for 3 years after completion.https://www.gpo.gov/fdsys/granule/CFR-2011-title3-vol1/CFR-2011-title3-vol1-sec102-110/content-detail.html.

[10] RRS’s also include business and operational needs, and common practice.  However this article is limited to legal requirements.

ROT stands for Redundant, Obsolete, and/or Trivial information and includes all information NOT being stored for a valid business, legal or common practice purpose. It is duplicative of official records, past its useful life, and/or information that does not meet the standard for an official record. Also, it’s important to remember that ROT consists of both physical and electronic information, including email.

Examples of why it is problematic:

• Storage is expensive. Although it seems like less of a problem to store ROT electronically it can actually be more expensive in the long term than paper. For example, extensive ROT that is being accumulated in an unstructured format has the potential for expensive discovery and legal hold work should a suit commence.
• It adds useless clutter, reducing accessibility of information by making it more difficult to find documents you need.
• It is a liability. Keeping information that is no longer useful and that is no longer required by law may create liability risk by preserving evidence that could be deemed adverse.
• Finally, if ROT contains personally identifiable information (PII), keeping it could be illegal.

Tips to Prevent ROT

Redundant data can be prevented by evaluating, then implementing, a well thought out and organized file plan that is easy to use and customized to the needs of the user. For example, grouping functionally similar records in dedicated files and using shortcuts to point to them when needed elsewhere avoids duplication. When using shortcuts, structure stability is crucial for the longevity of the plan, so it is important that the plan is well thought out in advance of implementation. Additionally, procedures can help limit redundant information. For example, designating dedicated roles or users to manage the records and information is a best practice that allows businesses to avoid saving redundant information. Companies often dedicate the first person in the “To” line in an email to save the contents while subsequent people listed and people in the “CC” list do not save.

Obsolete records should be purged as soon as they transition to that status, meaning they are no longer needed based on legal requirements, common practice and business needs. Creating, implementing and following a records retention schedule (RRS) is standard practice in order to properly dispose of obsolete records. When creating or revising a RRS keep in mind that the simpler and more intuitive the schedule, the more likely that employees will adhere and use it properly, which is why a big bucket functional schedule is usually recommended. For more complex organizations a data map may also be useful to pinpoint where the records referenced in the RRS reside electronically or in paper. Follow-through with the destruction of records by scheduling records destruction days dedicated to this task.

Because trivial information usually lies outside the definition of a record, most companies handle it through policies, procedures and training. For example, a policy defining what constitutes a record usually defines the final version as a record while excluding the working versions and drafts. The policy should go on to require that non-records, like working versions and drafts, be destroyed as soon as the final is established. Training is also necessary to place the responsibility of properly destroying trivial information on employees and to prevent information-hoarding which is a common mentality.

Conclusion

While destroying all ROT may be a long-shot goal, following the tips above provides a good first step to prevent compiling new ROT. If you are an established business, you likely already have a significant amount of ROT which is why it is important for you to review your records and information and put together a solid plan to manage new ROT. If reducing extensive existing ROT is an issue, there are software solutions that are designed specifically to help businesses manage their records and information. Examples to help with ROT include file and data analytics software and crawling software which analyzes unstructured data, pinpointing redundant information while auto-categorizing and indexing remaining information to distinguish between ROT and records.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Introduction

The proposed Privacy Shield agreement between the US and EU seeks to streamline EU data protection compliance for commercial exchanges requiring the transfer of personal data from the EU to the US. If approved, it would replace the Safe Harbor agreement which was deemed inadequate in assuring the protection of personal data by the European Court of Justice.

Privacy Shield seeks to satisfy the concerns opined by the European Court of Justice by requiring stronger obligations and enforcement mechanisms on companies and US government agencies including: affirmations and assurances about proper personal data use; restrictions on onward transfer; oversight mechanisms; an abolition of mass surveillance and indiscriminate collection; and sanctions for companies including the ability to exclude non-compliant companies. In addition, EU citizens will be able to file complaints against companies and US government agencies with third parties like arbitration panels and an ombudsman which will be available for escalated complaints. Further, companies will be required to answer complaints within 45 days, provide free dispute resolution, and work with data protection agencies in resolving complaints and agency concerns. The final item that is worth mentioning is that there will be joint monitoring by EU and US agencies including a privacy summit and public reporting.

Practically, for US companies, this will mean similar compliance self-certification as previously mandated under Safe Harbor, but in addition, Privacy Shield now adds an enforcement mechanism requiring that they work with EU citizens and privacy agencies to resolve complaints and provide sanctions for non-compliance.

Status

Initially scheduled to come into effect at the end of June, the US has fast-tracked several laws and agreements to implement the Privacy Shield changes including the Judicial Redress Act, which gives EU citizens the right to enforce data protection rights in US courts, and the Umbrella Act which seeks to implement and enforce data protection rules. Despite these initial aggressive efforts, several obstacles and criticisms have prevented approval of Privacy Shield by the EU. Most recently, the European Parliament passed a resolution listing several deficiencies in the agreement as proposed and asked for further negotiations.

While Privacy Shield is being reviewed and negotiated, other less streamlined options for legitimate data transfer will have to suffice such as model contract clauses, binding corporate rules, and consent agreements. Making the need for a Privacy Shield passage even more urgent, the Irish Data Protection Commissioner recently challenged the model contract clauses. As of writing this blog post a ruling by the European Court of Justice has not yet been issued on that matter.

For more information about Privacy Shield see the USCommerce.gov fact sheet.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.