It shall be an unlawful practice for employers, labor organizations, and employment agencies subject to the provisions of this part to fail to maintain and preserve any and all applications, personnel, membership, or employment referral records and files for a minimum period of four years after the records and files are initially created or received, or for employers to fail to retain personnel files of applicants or terminated employees for a minimum period of four years after the date of the employment action taken.

California’s increase represents a departure from most other state and federal requirements for job applicant information. In recent years, there has been a trend to shorten retention periods for records containing personal information, including those maintained by employers and recruiters. Some jurisdictions set the retention period for job applicant information at a maximum of 2 to 3 years. Shorter retention periods are typically recommended for applicant records in an effort to minimize the amount of personal information employers keep on successful and unsuccessful job applicants.

The purpose behind California’s retention increase is to assist employees and potential candidates pursuing employment discrimination complaints. Once a complaint has been filed, employers must retain those records until the time for filing a civil action has expired or until the complaint, appeals, or related proceedings have terminated.

Interested in learning how this could impact your records retention schedule? Contact Zasio today!

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Trendsetting in California: Updated Record Retention Requirements for Employers appeared first on Zasio.

Laws and regulations increasingly require entities to sanitize, pseudonymize or anonymize the personal information that they collect or process. Other than defining and requiring sanitization, these legal requirements often neglect to inform regulated entities what sanitization encompasses. 

Pseudonymization, Anonymization, and Sanitization Defined

The GDPR has introduced a multitude of data protection-related terms. Pseudonymization, anonymization, and sanitization are terms that are often used interchangeably.

According to GDPR Article 4, subsection 5, pseudonymization is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information […] to ensure that the personal data are not attributed to an identified or identifiable natural person”[1].

Anonymization relates to “a data processing technique that removes or modifies personally identifiable information; it results in anonymized data that cannot be associated with any one individual.”[2] According to Google’s policies, their anonymization process “use[s] generalization to remove a portion of the data or replace some part of it with a common value.”[3]

Similarly, sanitization relates to “the process of removing sensitive information from a document or other message (or sometimes encrypting it), so that the document may be distributed to a broader audience”[4]. This process irreversibly removes or destroys personal information from a record, database, or memory device.

Each of the above definitions highlights that these processes make personal information unrecognizable. Once the initial purpose for processing is no longer necessary, organizations may continue to need other non-identifying information for other important purposes, such as internal metrics, continuing research, or transfer to other parties. These processes allow organizations to have access to this non-identifying information while minimizing the risk of breaching personal information.

What Must be Sanitized?

Most regulatory requirements relating to sanitization refer to specific regulated parties and specific types of information, typically within the realm of finance, medicine, or employment. As researchers continue to learn about the epidemiology of COVID-19, the next few years may also see an increase in personal information sanitization laws on the collection and transfer of health information. For example, California requires employers to keep a record of all COVID-19 cases. This requirement creates a caveat that personal identifying information be removed when medical information is made available to others.[5]

In contrast, few laws relate to general data processors or categories of data processing. One such example is the Australian state of Victoria’s Privacy and Data Protection Act, which requires organizations to “take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.”[6]

While current laws and regulations specify what information needs to be sanitized and who needs to sanitize it, organizations are left to determine where this information may be located. Some examples of where personal information requiring sanitization could be lurking are email, which may most easily be sanitized through encryption[7]; personally-owned devices; old systems or databases; or information being transferred to third parties.

Sanitization Policies

Creating and implementing a sanitization policy can be a good first step to mitigating your risk of a personal information breach. Sanitization policies identify persons or departments responsible for sanitization, as well as areas where personal information may be located. Sanitization policies also describe how and when to remove or modify personal information. Failure of organizations to create such policies may result in significant fines. For example, some of the first GDPR-related fines were for organizations retaining non-sanitized passwords which were later breached.[8]

Conclusion

The next time you reach for your hand sanitizer, consider how your business could benefit from a sanitization policy for personal information as well. To learn more about regulatory requirements regarding personal information, contact Zasio today!

[1] European Union Regulation 2016/679, “GDPR”.

[2] Google, Technologies, HOW GOOGLE ANONYMIZES DATA.

[3] Id.

[4] Wikipedia, Sanitization (classified information).

[5] 8 California Code of Regulations 3205.

[6] Privacy and Data Protection Act 2014, Schedule 1, Principle 4.2.

[7] GDPR.EU, “How does the GDPR affect email?”.

[8] Security Boulevard, “4 GDPR Violations that Multiple Companies have been Fined for”.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Sanitize Everything From Your Hands to Your Personal Information appeared first on Zasio.

As the amounts of data increase, so does the headache in trying to manage such data. AI systems and software can assist RIM professionals to capture and classify their records and information through the use of auto-classification tools. These tools implement AI through defined, encoded rules based on keywords or phrases to classify and sort the input information. Self-learning or machine learning technologies, AI systems that enable computers to learn from their environment without being explicitly programmed, can increase the efficiency and accuracy of auto-classification of information.

While these tools do speed up the classification and sorting processes, they are not foolproof. Some oversight is needed to make sure that the AI systems are correctly classifying information as records or non-records. Additionally, a mislabeled record can result in over-retention, leading to discovery or breach concerns. Because AI software can require integration of multiple systems or third-party vendors, data security risks can also increase.[1] If RIM professionals use AI software to classify their information, they will need to implement policies and procedures to conduct this oversight and review these procedures regularly, just as they would their records retention schedules and data protection practices.

As this area of business and way of life increases, so too does the need for regulated governance. Currently, there is no specific AI legislation in relation to information governance or data protection. The EU’s General Data Protection Regulation “applies to the processing of personal data wholly or partly by automated means”[2]; however, it only regulates automated processing, or the use of AI in automated decision making, by requiring data controllers to inform the data subject and allow her/him the right to object to processing or decisions based solely on automated processing.[3] Similarly, Illinois’ Artificial Intelligence Video Interview Act only requires disclosure to and consent from applicants by employers using AI analysis in job interviews.[4] Both the EU and the US have seen the need to increase their AI communities and workers, but neither have yet to enact legislation specific to AI usage in information management.[5]

Governments and data protection authorities are beginning to see the need for more concrete guidance in the area of AI. The United Kingdom’s Information Commissioner’s Office recently published Guidance on AI and Data Protection which provides more comprehensive guidelines for companies using AI to implement good practices in the area of data protection. Specifically, the ICO Guidance addresses the “need to align your internal structures, roles, and responsibilities maps, training requirements, policies and incentives to your overall AI governance and risk management strategy.”[6] The ICO Guidance also recommends human oversight. “[H]uman reviewers must be involved in checking the system’s recommendation and should not just apply the automated recommendation to an individual in a routine fashion”.[7] These recommendations may prompt businesses to implement their own AI policies and procedures before such requirements become more concrete.

As AI becomes a common facet of doing business, will AI be the new undiscovered frontier that RIM professionals need to consider when creating and implementing records retention schedules? Those are the voyages of RIM professionals. Their mission: to explore new ethical issues surrounding AI, to seek out new aspects of RIM practices, and to boldly manage information where no one else can.

Contact Zasio today for information on how AI systems can affect your RIM and data protection practices.

[1] Information Commissioner’s Office, Guidance on AI and Data Protection, How should we assess security and data minimization in AI? What’s different about security in AI compared to ‘traditional’ technologies?.

[2] Regulation (EU) 2016/679 General Data Protection Regulation (2)(1).

[3] Id. at (13)-(15), (21).

[4] 820 ILCS 42/15.

[5] European Commission Artificial Intelligence for Europe; Ex. Ord. No. 13845. Establishing the President’s National Council for the American Worker.

[6] Information Commissioner’s Office, Guidance on AI and Data Protection, What are the accountability and governance implications of AI?, How should we approach AI governance and risk management?.

[7] Id. How do we ensure individual rights in our AI systems?, What is the role of human oversight?

The post Artificial Intelligence: The Final Frontier in Records and Information Management appeared first on Zasio.

How to Use Your Current Records Management Program
If you are currently experiencing one of the business interruptions mentioned above, a records management program will be an initial step in resuming business operations. If you already have a records management program, you can utilize it to create or implement a business continuity plan. A business continuity plan is a “documented plan that defines the resources, actions, tasks, and data required to manage…disaster response and recovery, and business resumption process in the event of a business interruption.”

One key to a business continuity plan is vital records. As the name suggests, these records are essential to continue business operations. Examples of vital records include corporate organization and formation documents, contracts, intellectual property, blueprints, formulas, and so on. If you currently have a functioning records retention schedule, make use of it to identify and classify those records that will help you most in restarting business processes.

What to Do If You Do Not Have an Existing Records Management Program
If you are still in the beginning stages of developing a records management program, first identify vital records and back-up those files for safekeeping. Begin by gathering information from each department or area of your business to identify what each needs to continue operations. This information gathering should not only include the types of records involved, but also where these records are kept and in what format and volume. This information will then help you develop a records retention schedule and records management program for your business. These in turn will make collection and retrieval of information easier; information such as secondary suppliers, client contacts, or service requests, that you can use to resume business.

After you have identified vital information, organize and classify the information that you will need day one of resuming business. In addition, documenting this process of identification, organization, and classification will help you implement your business continuity plan should a future need arise. This documentation should also include protection instructions for your identified vital records, as well as methods to access this information in times of interrupted business. When you are ready to resume your business to its full capacity, identified records and a functioning records management program will help you resume much more quickly and easily.

How We Can Help
We know times are hard. We are all worrying about our lives and our livelihoods. If your business has slowed down, use this opportunity to develop or hone your records management program. A functioning records management program can help you control business production through organization of one of your greatest assets, your records.

Zasio has over 30 years of expertise in records management. Whether you are at the beginning stages of a records management program, or looking for ways to leverage your current records management program to stay in touch with vendors and clients, we can help. We can help you assess those areas where your records management program might be lacking and can help you build a functioning records retention schedule. A records management program will not just help with disposition and organization, it can help you get that jump start and sustainability your business needs today.  Contact Zasio

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Using Records Management to Restart appeared first on Zasio.

With the 30^th anniversary of the fall of the Berlin Wall coming up in a few weeks, it seems fitting to view the recent rise of European General Data Protection Regulation (GDPR) sanctions issued by the Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA).

Germany, unlike other EU member countries, regulates GDPR compliance through its state data protection authorities rather than its federal data protection authority, the Federal Commissioner for Data Protection and Freedom of Information. The Länder (or states) each have their own data protection offices and their own data protection laws to govern the public and private sectors’ data protection obligations. Additionally, the Länder DPAs can issue sanctions for noncompliance with the GDPR.

Since the GDPR has become effective, the Länder DPAs have issued approximately 41 sanctions,[2] with the highest amounts being well under the million-euro fines allowed under the GDPR.[3] The Berlin DPA has issued only a handful of fines against companies for violation of the GDPR,[4] but Berlin appears to be at the precipice of another new trend. In the last two months the Berlin DPA has issued some of the largest GDPR sanctions in Germany.

In August, the Berlin DPA issued fines against Delivery Hero Germany GmbH for nearly 200,000 euros for “non-compliance with data subject rights, such as the right to information on the processing of personal data, the right to erasure of data and the right to object”.[5] The Berlin DPA stated that the fines were a result of the high number of repeated violations and numerous indications from the supervisory authority that problems existed but solutions were not implemented.[6]

This sanction comes just a few months after the Berlin DPA’s other largest fine in March of this year. That fine was against the online bank N26 for 50,000 euros. The bank kept a list of names of former customers “for money laundering prevention purposes, regardless of whether they were actually suspected of money laundering”.[7] This increase from March to August is only the beginning of the building-up of GDPR-related fines in Berlin.

The Berlin DPA also recently issued a statement that it “intends to impose a fine of millions in the foreseeable future for violations of the [GDPR]”.[8] The company, the amount of the fines and other information were not disclosed as the matter is still under review. According to the spokeswoman for the Berlin DPA, the fine could “reach tens of millions”.[9] When issued, this fine will be the largest GDPR sanction in Germany and one of the largest fines in Europe since the GDPR became effective. So far only France’s CNIL and the United Kingdom’s Information Commissioner have issued fines close to this amount, with the United Kingdom’s fine yet to be finalized.[10]

After the August sanction against Delivery Hero Germany, the Berlin Data Protection Commissioner, Maja Smoltczyk stated, “I hope these fines will have a warning effect on other companies as well. Anyone working with personal data needs a functioning data protection management system. This not only helps to avoid fines, but also strengthens the trust and satisfaction of the clientele.”[11]

The Berlin DPA’s recent GDPR sanctions are just another building block of data protection security in Europe. Thirty years ago, Berlin was vital in tearing down the GDR and reunifying Germany. Today, Berlin is becoming key in building up the power of the GDPR in Germany.

[1] “East Germany opens the Berlin Wall”, History; “Berlin Wall”, Wikipedia.

[2] “German DPAs issued 41 fines for GDPR violations”, IAPP.

[3] “Berlin will Datenschutz-Bußgeld in Millionenhöhe verhängen”, Official Capital Portal.

[4] GDPR Enforcement Tracker.

[5] “Lieferdienst und Online-Bank – Berliner Datenschutzbeauftragte verhängt empfindliche Bußgelder”, Press Release September 19, 2019, Berlin Commissioner for Data Protection and Freedom of Information.

[6] Id.

[7] Id.

[8] “Berlin will Datenschutz-Bußgeld in Millionenhöhe verhängen”.

[9] Id.

[10] GDPR Enforcement Tracker.

[11] “Lieferdienst und Online-Bank – Berliner Datenschutzbeauftragte verhängt empfindliche Bußgelder”.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post The Fall of the Berlin Wall and the Rise of Berlin Sanctions appeared first on Zasio.

The Association of Records Managers & Administrators (ARMA) defines a permanent record as “determined to have sufficient historical, administrative, legal, fiscal, or other value to warrant continuing preservation.”[3] But what exactly does continuing preservation mean? Does it refer to the period of time you are supposed to retain information, or could it mean the format in which you retain a record?

Legislation is hardly helpful at clearing up the puzzle between permanent retention period and permanent format. Take for example 522 Code of Massachusetts Regulations 3.05, which requires owners or users of nuclear reactor facilities to “keep permanent records to maintain complete traceability of all material used in the construction of any nuclear reactor plant.” Compare that language to 20 New York Codes, Rules and Regulations 39.1 which says, “Every taxpayer must keep permanent books of account or records, including inventories and other pertinent data, as are sufficient to establish the amount of receipts, premiums, gross income, assets, capital, gain, loss, deductions, credits or other matters required to be shown by such taxpayer in any report or return required.” Both of these laws require parties to “keep permanent records”, so how should companies interpret the competing meanings of permanent?

One solution for the interpretation of “permanent records” is to look at common practice standards within the business field. Taking the above examples, it is commonly practiced and required for nuclear facilities to keep material and construction records for the life of the facility, a long-term retention period. On the other hand, it is less common for taxpayers to keep accounting records for the entire life of the corporation or business. In fact, most states generally do not require taxpayers to keep accounting records beyond six or seven years. This would suggest that such references to “permanent records” are meant to be kept in a permanent format rather than a permanent retention period.

Another solution to interpretation is to look at similar requirements in other laws within the same jurisdiction. New York Consolidated Law Service Tax 25, for example, requires taxpayers to “retain all relevant correspondence, memoranda, notes, valuation studies, meeting minutes, spreadsheets, models, opinions…and all other records or documents related to the disclosure, filing and list maintenance requirements…for six years”. It is not likely that taxpayers must keep tax documentation for six years and also for the life of the corporation. The need for such records long-term for “historical, administrative, legal, fiscal” value is implausible. Much more probable is the requirement to maintain tax documentation in a format that tax authorities can easily read and inspect.

Without further research and context, laws containing “permanent” language should rarely be taken at face value. Consider the implications of choosing one interpretation over the other before applying “permanent” to your retention schedule. Keeping a record long-term can infringe upon laws with maximum retention requirements. On the other hand, maintaining a record in a permanent format can create logistical recordkeeping issues. Check within your industry and compare similar laws before applying or not applying a long-term retention period. “Permanent” may call itself so, but its true name is usually “format”.

[1] Oscar Wilde, The Importance of Being Earnest (1895).

[2] For general information on how to cite a permanent retention period, see “What does a Permanent Retention Period Really Mean?” by Rick Surber.

[3] ARMA, Glossary of Records Management and Information Governance Terms, 5^th ed., p. 38.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post The Importance of Being Permanent appeared first on Zasio.

What Makes up a Record Retention Law?
Records retention requirements typically have three components:
• Regulated party (the person required to keep the records),
• Record description
• The retention period

All three areas can have phrasing issues that muddy up the meaning. This lack of clarity can create misunderstandings that can prevent you from your ultimate goal: compliance. Here are some common traps to watch out for:

Trap 1: Who Does What?
Like most laws, record retention laws often use passive voice. This means the regulated party is missing from the sentence. In fact, they can be missing from the entire section or chapter of a particular law. By using passive voice, these laws tell you what you need to do, but not who needs to do it.

Unfortunately, that isn’t the only trap used to obscure who does what. If passive voice doesn’t trick you, the use of vague regulated parties will. A classic example of a vague regulated party favored in retention regulations is “regulated entity.” Define a regulated entity too broadly, and you could create more requirements for your business than actually exist. Define it too narrowly, and you could open yourself up to audits, sanctions, and discovery headaches. These “entities” are rarely found in the definitions sections. Rather, their meaning comes from Titles and Headings.

One example of this is N.J.A.C. § 14:3-6.2 (a): “Each regulated entity shall maintain, readily available to Board staff, adequate maps and/or records….” In this case, the reader needs to look at § 14:1-1.3 to find the definition: “’Regulated entity’ means a person or entity that is subject to the jurisdiction of the Board, or that provides a product or service subject to the jurisdiction of the Board.”

How to Avoid it: Look for clues in Titles, Headings, and links to other sections. When you find the subject, highlight it or mark it so you can easily find it later.

Trap 2: What Record?
Some laws offer just one word to describe the thing you’re supposed to keep—a record, document, or copy. If the authority does name what you should retain, they’ll list a few broad, big-bucket-types of records under the type of document you should keep—payroll, invoices, personnel files, and so on. In addition to vague descriptions, a law can also be vague on the requirements for a specific format or a specific location for a record. For example, the law could require you to keep not just invoices, but electronic invoices; not just copies, but the original copies. These requirements all add to the conditions surrounding what kinds of records to keep in a record retention requirement.

Finding a full description of what to keep requires a search into other areas of the law, or even other laws. For example, Norway’s Regulations for completion and implementation of the Tax Payment Act (Tax Payment Regulations) § 5-11-2 (10) states, “The documentation shall be kept in Norway for five years after the end of the income year.” The “documentation” in this case refers to employee payroll information. But you wouldn’t know that unless you found all of the specifics on what documentation means, which are scattered throughout the section.

How to Avoid It: Be wary—simple descriptions often have hidden pitfalls. Be sure to find definitions or explanations for every requirement. Use a highlighter to mark descriptions. That way, if you get confused you can easily find the definition you need.

Trap 3: How Long Should I Keep the Records?
Word choice can create the most nuanced differences in a sentence and in the requirement. For example, the retention period might seem clear and easy at first: the law will say the retention period is just a few days, weeks, months, or years. However, this word choice is deceptive. Does the year start at the beginning of the next calendar year, the next financial year, or when the record was created or completed? What if the requirement doesn’t explain how long the retention period lasts?

Some laws try to help readers know which time period applies by using a qualifier, but sometimes laws do not contain these qualifiers, which leaves the reader to question how long the records should be held. Consider 14 CFR § 121.380 (c), which recommends this retention period: “…records specified in paragraph (a)(1) of this section shall be retained until the work is repeated or superseded by other work or for one year after the work is performed.” Without a qualifying phrase, the reader is left guessing which time frame to follow. This confusion can create serious problems. If you don’t hold records long enough, you can suffer from sanctions; if you hold records containing personal information for too long, you may face even bigger penalties.

How to Avoid It: If the punctuation or wording of a retention period is confusing, look in similar laws–they often have the same retention periods. When in doubt, reach out for help. Talk to other professionals to get their opinion. Never be afraid to ask questions.

These are just some of the many sand traps that await unwary readers of retention requirements. Don’t take record retention laws at face value. Look at all aspects of the requirement and ask industry experts before you apply retention requirements to your business records. If you have questions about a records retention requirement or are looking for a records retention system, contact Zasio.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Three Traps to Avoid When Reading Records Retention Laws appeared first on Zasio.

Many companies started looking at their own system’s weaknesses after learning about the recent Uber data breach. No one wants to be the next data breach headline. This kind of news can make people long for the days when records retention was simpler and paper-based documents meant data protection wasn’t always part of the daily routine. Some may even wonder whether the benefits of personal data protection outweigh the administrative burden of returning to hard-copy records. [1] But did you know that low-tech data can be just as easy, if not easier, to breach?

How do data protection laws apply to hard-copy records?

Cyber-security is on the front-lines of the personal data battle, but it’s just part of the equation. Careless retention of hard-copy records that contain personal information can also result in a data breach. Careless retention can affect both small and large organizations and those with domestic or international connections. Many companies moved from hard-copy records to digital records. Digital records are a more efficient and “greener” system. However, overlooking hard-copy documents can leave companies open to personal data attacks and heavy sanctions.

While some data protection laws define “personal information” in detail, most are purposely vague. For example, Serbia’s Law on Personal Data Protection defines personal information as “any information relating to a natural person, regardless of the form of its presentation or the medium used (paper, tape, film, electronic media etc.).[2] The EU’s General Data Protection Regulation (GDPR) has its own definition of “personal data.” In fact, it makes no reference to the medium of the personal data.[3] However, the GDPR’s definition of a “personal data breach” covers the low-tech, minor data breaches and doesn’t even mention the medium of the data. The GDPR states that a personal data breach is, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”[4] The lack of clarity in the law can be costly for businesses. They could face high sanctions for what seems like a trivial loss of hard-copy records.

What are some differences for hard-copy data protection requirements?

Most data protection laws have broad requirements for both electronic and hard-copy personal information. However, some laws are more specific about the difference between physical documents and digital information.

Many data protection laws carry records-handling requirements that explain how to store, destroy, or protect hard-copy records that contain personal information. For example, the Netherlands AFM Compliance Regulations specifies that businesses must store physical data in a fireproof safe and digital data must be “safeguarded by technical access security systems.”[5]

Different laws carry different requirements. Zasio can teach you how to protect your data based on the laws that affect your business. We can also clarify other records retention requirements for you. Call us today.

[1] Draft PCI/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, 5.3.3.

[2] Serbia Law on Personal Data Protection, RS Official Gazette Nos. 97/2008 and 104/2009, Article 3 (1).

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 4 (1).

[4] Id. at Article 4 (12).

[5]  Dutch Authority for the Financial Markets Compliance Regulations, Regulations about handling inside information, Appendix 4 (Data Security).

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Hard-Copy Files in a Digital World appeared first on Zasio.