5 Records Management Laws Every Pro Must Know

Brush up on these 5 records management laws to understand where we are now, and where we’re headed.

On May 25, the European Union will begin enforcing the General Data Protection Regulation (GDPR), a powerful new law that is widely expected to set a new and much higher standard for consumer rights regarding personal data. California companies doing business in the E.U. must be compliant with the new laws immediately, and a potential ballot initiative could bring similar privacy rules to California in the near future. In a recent report, the Association for Information and Image Management (AIIM) said the new European regulations are “the most immediately visible evidence of what will soon be a tidal wave of national and industry information privacy and security regulations.”

This rapidly changing legal landscape is putting records management legislation in the public spotlight and forcing records managers to see existing laws and information governance practices in a new light. These are the four current records management laws every professional must know, and an introduction to the new legislation that is expected to shape the records management policies and procedures of the future.


Health Insurance Portability and Accountability Act (HIPAA)

Established in 1996, this federal records management law sets out data privacy and security guidelines for safeguarding personal medical information, including medical records and any other identifiable health information. In 2013, the government increased penalties for HIPAA violations to a maximum of $1.5 million.


California Data Security Breach Reporting

In 2002, California became the first jurisdiction in the world to pass a law requiring business and government agencies to tell people when their data has been breached. If hackers or thieves get a hold of a Californian’s personal information – including their social security number or credit card number – the individual must be notified. Most U.S. States and many countries around the world followed suit, just as they are expected to do after the passage of the European Union’s GDPR.


Sarbanes-Oxley Act

This piece of federal legislation was passed in 2002, in the wake of high-profile financial scandals like Enron and WorldCom. It elevated the corporate accountability standards that protect citizens and stakeholders from corrupt and fraudulent financial practices, and applies to all publicly traded companies. In part, SOX sets out retention and disposition schedules for key financial records, and so it has a direct impact on any records manager working in the financial sector.


Gramm-Leach Bliley Act

Passed in 2003, this critical law controls how major financial institutions manage individuals’ private information. The act dictates how some financial records should be stored and destroyed, and also provides some protection against the sale and trade of private financial information, including bank balances and account numbers.


General Data Protection Regulation

Fundamentally, this new law aims to give EU citizens more complete control over how their personal information is collected, stored and used. For example, it gives people the “right to be forgotten,” requiring that companies have the capacity to permanently purge personal information from all records, paper and digital. A recent PwC survey suggests that the vast majority of U.S. companies – 92 percent – rank GDPR compliance among their top data protection priorities, but as many as half are not yet fully compliant. Fines for failing to comply run as high as 20 million Euros, or $25 million USD.

The GDPR currently only applies to companies that do business in the European Union, but European leaders have explicitly said they’re aiming to set a new global standard, and experts say it’s just a matter of time before the U.S. follows suit. Which means that every records manager needs to be up-to-date on current laws and bracing for a sea change – or risk being carried away by the legal riptide.

Are you ready to lay the foundation for change?

For 70 years, from HIPAA all the way to the GDPR, Corodata has been a trusted records management partner. Our audits and certificates are your guarantee that we’re upholding our commitment to protecting information under the newest laws. So whether you need secure records storage or data protection services, Corodata can help.

Yes, I’m ready


Data Security Breach Reporting | State of California Department of Justice
California Data Breach Report | State of California Department of Justice
Information Privacy and Data Protection Regulation | AIIM
Guest Post – GDPR and Cross Border Data Flows between the EU and the US: Current State of the Law | AIIM