Keeping up with a complex regulatory landscape isn’t easy. In this blog, we offer an overview of several state and federal laws that have a bearing on your organization’s information management strategy.
The Fair and Accurate Credit Transaction Act (FACTA)
FACTA gives consumers the ability to place alerts on their credit histories if identity theft is suspected. The law requires lenders, credit card companies, and other financial service organizations to dispose of information to protect against “unauthorized access to or use of the information.” If FACTA applies to your business, invest in a reliable shredding and destruction service.
The Gramm-Leach-Bliley Act (GLBA)
GLBA’s Safeguards Rule requires financial institutions to develop a written information security plan outlining processes for protecting clients’ personal information. The plan must include:
- Designation of at least one employee to manage safeguards
- Risk analysis plans for each department handling personal information
- Develop, test, and monitor an information security program
- Change safeguards as needed
A records and information management provider with long-term experience protecting and managing information assets can help your business comply with GLBA’s Safeguard Rule.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA applies to health care providers and their “business associates.” Under the HIPAA Final Omnibus rule, the definition of a business associate includes:
- Organizations or persons that provide data transmission services with respect to PHI for a covered entity
- Vendors offering PHI records to individuals on behalf of a covered entity
- Subcontractors that receive, create, or maintain PHI on behalf of a business associate
If your company falls under any of these categories, or handles PHI in any way, it must have a business associate agreement requiring compliance with the Privacy Rule, Security Rule, and breach reporting standards.
California Civil Code 1798.81
California 1798.81 requires businesses that conduct business in California to notify California residents if the person or business suffers a security breach involving “personal information.” The law states that businesses should “take all reasonable steps to dispose, or arrange for the disposal, of customer records” that contain “personal information when those records aren’t needed any longer by, among other means, shredding.”
The California Consumer Privacy Act (CCPA)
The CCPA is scheduled to go into effect in 2020. It requires companies to be transparent about what consumer data they collect and how they use it. California residents have a right to request that California businesses:
- Disclose the specifics of personal information they collect
- Disclosed the business or commercial purpose for collecting or selling personal information
- Disclose the sources from which personal information is collected
- Not sell their personal information
- Delete any collected personal information
The California Attorney General’s Office enforces the CCPA. Companies found in non-compliance with the law can face civil penalties of $2,500 for each violation or $7,500 for each intentional violation. To comply with the CCPA, your business should have a written record retention plan that includes final disposition dates for expired data.
For more compliance tips, please call us at 800-685-9034 or complete the form on this page.
Pacific Records Management provides records and information management services for businesses throughout Fresno, Stockton, Sacramento, Modesto, and Napa and Solano Counties.