Knowledge Center
Why do we need to keep records? Learn more about which records to keep and why.
Knowledge Center
Be compliant by following the laws and regulations that control your industry.
What to Store and Protect?
There are many reasons to retain the records needed to conduct your business. For example, the legal and regulatory environment requires you to retain records pertaining to taxes, payroll, employee benefits, quality control, test data, and so on. The business environment demands that you carefully protect your corporate papers, patents, and other proprietary information.
The following is a partial list of the kinds of records that businesses must retain and manage.
- Employee expense reports
- Invoices and vouchers
- Depreciation schedules
- Accounts payable ledgers
- Accounts receivable ledgers
- Balance sheets
- Income statements
- Trial balances
- Journal entries
- Payroll reports
- W-2, W-4, 1099
- Accident/Injury reports and logs
- Certificate of incorporation
- Historical records
- Bylaws
- Board of Directors meeting minutes
- Shareholder meeting minutes
- Dividend records
- Annual reports
- Employee files
- Patents and trademarks
- Product engineering
- Quality control records
- Franchise/Income tax
Records Management Laws
Numerous state, federal and industry regulations require you to retain, protect and properly destroy certain information about your customers, employees, consumers, patients and trade secrets. The following is a partial list of key laws and regulations that affect many businesses and individuals.
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) 2009/2010 privacy rules protect all “individually identifiable health information” including demographic data.
Examples of individually identifiable health information that must be protected for HIPAA compliance:
- Information related to the individual’s physical or mental health
- Data about providing health care to the individual
- Health care payment records
References:
- Health Information Privacy. U.S. Department of Health & Human Services.
- Health Information Technology for Economic and Clinical Health Act (HITECH). U.S. Department of Health & Human Services.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act enacted in 1999 includes a Privacy Rule which protects a consumer’s “nonpublic personal information” (NPI) that you collect in connection with providing a financial product or service.
Examples of non-public information that must be protected for Gramm-Leach-Bliley compliance:
- Information on an application such as name, address, income, Social Security number, or other information
- Information from a transaction, such as the fact that an individual is a consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases
- Any information you get about an individual in connection with providing a financial product or service, such as information from court records or from a consumer report
References:
- How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach Billey Act. Federal Trade Commission – Facts for Business. July 2002
Fair and Accurate Credit Transaction Act (FACTA)
FACTA requires businesses and individuals to properly dispose of sensitive information derived from consumer reports. The Disposal Rule defines ‘proper’ disposal practices that could include establishing and complying with polices to burn, pulverize or shred papers containing consumer report information, and hiring a document disposal company that is certified by a recognized trade association.
Examples of consumer report information that must be properly managed for FACTA compliance:
- Credit reports, credit scores, check writing history
- Reports related to employment background, residential or tenant history
- Insurance claims or medical history
References:
- FACTA Disposal Rule Goes into Effect June 1. Federal Trade Commission – News. June 1, 2005.
- Disposing of Consumer Report Information? New Rule Tells How. Federal Trade Commission – Business Alert. June 2005.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of requirements designed to ensure that companies that process, store or transmit credit card information maintain a secure environment. The focus of the standard is to provide payment account security throughout the transaction process. Compliance with the PCI DSS means that your systems are secure and your customers can trust you with their sensitive payment card information.
References:
- Overview of PCI Standards. PCI Security Standard Council
- Why Comply with PCI Security Standards? PCI Security Standard Council
Privacy Act of 1974
The purpose of the Privacy Act is to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasion of their privacy. The Privacy Act governs the collection, maintenance, use, and dissemination of personally identifiable information maintained by federal agencies.
The Act focuses on four basic policy objectives:
- To restrict disclosure of personally identifiable records maintained by agencies.
- To grant individuals increased rights of access to agency records maintained on them.
- To grant individuals the right to seek amendment of agency records maintained on them
- To establish a code of “fair information practices” regarding the collection, maintenance, and dissemination of records.
Examples of information that must be protected for Privacy
Act compliance:
- Financial data such as banking information and documents, copies of checks, loan information
- Medical and insurance information, including patient names and billing data
- Any information containing social security numbers
References:
- Overview of the Privacy Act of 1974. U.S. Department of Justice, Office of Privacy and Civil Liberties.
- Why Shred? National Association for Information Destruction, Inc., www.naidonline.org. 2002.
Economic Espionage Act (EEA)
The Economic Espionage Act of 1996 protects a broad range of trade secret information if the owner has taken reasonable measures to keep such information secret, and if the information derives independent economic value from not being generally known to or accessible by the public. In other words, if you do not take reasonable precautions, your trade secrets will not be protected, even from a person who uses improper means to obtain them.
Examples of information that must be protected for EEA compliance:
- All forms and types of financial, business, scientific, technical, economic, or engineering information, regardless of format
- Patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes
References:
- The Economic Espionage Act of 1996. U.S. Department of Justice.
- Dumpster Diving and Trade Secrets: Is Your Company Protecting Its Trade Secrets? National Association for Information Destruction, Inc., www.naidonline.org. March 2006.
Uniform Trade Secrets Act (UTSA)
The Uniform Trade Secrets Act (UTSA) was developed as a model law in 1979 and amended in 1985 to provide states with a legal framework for improved trade secret protection for industry.
Examples of information that must be protected for UTSA compliance:
- Drafts and obsolete contracts & proposals
- Market analysis, customer names & shipping data
- Supplier information & purchase orders
- Visitor logs & brainstorming notes
References:
- Uniform Trade Secrets Act. Uniform Law Commission, The National Conference of Commissioners on Uniform State Laws.
- Why Shred? National Association for Information Destruction, Inc., www.naidonline.org. 2002.
Additional References:
- Just the Basics: Essential knowledge on U.S. laws promoting information destruction. National Association for Information Destruction, Inc., www.naidonline.org.
- The Facts of Life (about proper information destruction). National Association for Information Destruction, Inc., www.naidonline.org, NAIDnews. 2010.
- Why small offices should use a shredding service. National Association for Information Destruction, Inc., www.naidonline.org.
- Recent Changes to HIPAA and the Impact on the Information Destruction Industry. National Association for Information Destruction, Inc., www.naidonline.org.
- FACTA. National Association for Information Destruction, Inc., www.naidonline.org.
- HIPAA. National Association for Information Destruction, Inc., www.naidonline.org.
- How Outsourcing Your Shredding is More Secure. National Association for Information Destruction, Inc., www.naidonline.org.
State, federal and industry regulations place record keeping requirements on businesses and individuals.
Off-Site’s records expertise assists you in developing a program to systematically track and manage your business records.
Penalties are hefty for non-compliance with requirements to securely safeguard and destroy sensitive records protected by laws.