Legal and Regulatory Requirements for Electronic Records Management

U.S. government regulations are forcing companies to take security and con­trol more seriously by mandating the protection of data from abuse, exposure, and unauthorized access. Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection.

If you work in the healthcare industry, your firm will need to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA outlines medical security and privacy rules and procedures for sim­plifying the administration of healthcare billing and automating the transfer of healthcare data between healthcare providers, payers, and plans. It requires members of the healthcare industry to retain patient information for six years and ensure the confidentiality of those records. It specifies privacy, security, and electronic transaction standards for healthcare providers handling patient information, providing penalties for breaches of medical privacy, disclosure of patient records by email, or unauthorized network access.

If you work in a firm providing financial services, your firm will need to com­ply with the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act after its congressional sponsors. This act requires financial institutions to ensure the security and confidentiality of customer data. Data must be stored on a secure medium, and special security measures must be enforced to protect such data on storage media and during transmittal.

If you work in a publicly traded company, your company will need to com­ply with the Public Company Accounting Reform and Investor Protection Act of 2002, better known as the Sarbanes-Oxley Act after its sponsors Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio. This act was designed to protect investors after the financial scandals at Enron, WorldCom, and other public companies. It imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally. One of the Learning Tracks for this chapter discusses Sarbanes-Oxley in detail.

Sarbanes-Oxley is fundamentally about ensuring that internal controls are in place to govern the creation and documentation of information in financial statements. Because information systems are used to generate, store, and trans­port such data, the legislation requires firms to consider information systems security and other controls required to ensure the integrity, confidentiality, and accuracy of their data. Each system application that deals with critical financial reporting data requires controls to make sure the data are accurate. Controls to secure the corporate network, prevent unauthorized access to systems and data, and ensure data integrity and availability in the event of disaster or other disruption of service are essential as well.

Source: Laudon Kenneth C., Laudon Jane Price (2020), Management Information Systems: Managing the Digital Firm, Pearson; 16^th edition.