For all businesses, no matter the size or industry, protecting and retaining documents and other forms of sensitive data is not only a federal requirement, but laws and regulations can also vary on a state-by-state basis. And, there is often confusion among employers and entities as to the legal requirements for the recordkeeping, destruction and safeguarding of certain sensitive data like employment records, health records, Social Security numbers and credit card data, etc.
“It is important for employers to understand the requirements for preserving as well as protecting data, whether it is physical or electronic,” says Matt Boxer, partner and chair, corporate investigations & integrity practice at Lowenstein Sandler LLP in Roseland. “There are federal regulations, but then there are state laws as well, with New Jersey being one of the more stringent states in terms of laws and regulations of document retention and protection. It is very clear that the state takes privacy issues very seriously and has imposed a number of legal requirements for businesses and entities.”
In determining the proper steps to maintain and protect records, Boxer, who was New Jersey’s first independent State Comptroller, says it depends on a company’s industry and the types of document involved.
“There are certain areas that are highly regulated,” he says. “If you are a company that is contracting with the government, there are onerous regulations to comply with. And, if you are a financial services institution or in the healthcare field, for example, there are different steps you must take. It also depends on the kind of document it is as well. So, there is no ‘one-size-fits-all’ approach to it.”
For example, there are laws such as the Age Discrimination in Employment Act, the Americans with Disabilities Act or the Fair Labor Standards Act that lay down the guidelines as to how long documents should be retained and, in some instances, how they should be disposed.
Law firms like K&L Gates, with a location in Newark, can assist businesses in complying with document retention regulations and determining what defines a company’s requirements to keep certain records.
“We help to advise clients regarding their routine records management needs and help clients determine which laws apply to them and which ones they should follow either on a location-by-location [basis] (if locations are in different states) or throughout the entire organization,” says Daniel Miller, partner in the e-discovery analysis and technology group of K&L Gates. “It can be quite confusing because besides from the federal laws, there can be one state that says you have to keep a certain kind of human resources or personal record for three years, and another state that says you have to keep it for five or seven years.”
Miller says that it is also important for businesses to be aware of its record retention practices when entering into a contract with another party or if involved in a legal proceeding, where any and all documents can have an impact on the outcome of said proceeding.
“A big issue for many companies is understanding the need to preserve records in light of a legal proceeding, like a lawsuit or government inquiry,” he says. “If it is found that there is a failure to take reasonable actions to retain any and all records involded, a company can encounter severe sanctions for the destruction of evidence or potential evidence.”
What other consequences can companies face if they don’t maintain or keep accurate records?
“The penalties can depend on the circumstances,” says Lowenstein’s Boxer. “Companies can face substantial fines from various agencies, or audit failures that, at worst, can result in the closure of a business. Or, they may have to pay extra taxes if receipts aren’t kept for planned deductions and other potentially hefty penalties.”
And in terms of properly protecting and securing various forms of sensitive data, that is another issue in itself, according to Tom Abbate, partner at Decotiis, Fitzpatick & Cole, LLP, who is based in Teaneck.
“Most of the potential for data theft, loss of personal information and unauthorized access to documents lies in the electronic realm,” he says. “Today, companies have obligations to properly protect personal information and to employ certain measures if a data breach were to occur.”
In New Jersey, the New Jersey Identity Theft Protection Act (ITPA), which took effect in January of 2006, requires businesses in the state to take steps to protect consumer information.
“Businesses in New Jersey are required by law to restrict the use of personal data, take reasonable steps to destroy customer records the business does not intend to retain, and to report unauthorized access of personal information,” Abbate says.
“There is a black market for personal information,” Abbate continues. “It is like currency and it is very easy to sell. And today, it can be very easy for a hacker or ‘bad guy’ to gain access to that data.”
“What we see is instances of company data being obtained by outside sources through improper means and you may not hear about it unless it is a very large company,” Lowestein’s Boxer says. “Data security is an area that is becoming increasingly dicey for companies. The risks are tremendous, not only from a liability perspective – where companies may have to pay fines – but from the ability to be able to conduct normal business after a breach occurs. It could take a while to get certain systems secure and up-and-running again. … If companies don’t have appropriate security protocols in place, then that puts all of its privacy obligations at risk.”
What kind of security protocols can companies put into place to help protect sensitive information?
“Most businesses are aware of the primary security safeguards in developing adequate passwords and maintaining appropriate firewalls of computer and data systems,” K&L Gates’ Miller says. “But the best thing that companies can do, especially the smaller ones that may not have the resources larger companies have, is to take the time to educate their personnel. Cyber security training for employees, in teaching them about all of the cyber-attacks and phishing scams that are out there today, can be vital in retaining data and can save companies money, time and resources in the long run.”
Cyber-attacks and phishing scams are not the only ways sensitive data can be obtained by unscrupulous individuals. Leaked information can be provided to other parties by dishonest or disgruntled employees.
“Employees stealing the information of the companies they work for has been a problem long before cyber-attacks, because that was one of the only ways for criminals to obtain that kind of personal information without having to physically go into a business and steal paper files,” Boxer says. “Companies need to make sure they limit access of certain documents to only those individuals who require it for their jobs and/or business operations. … And, in instances where people get fired or let go from a company in a way that leaves them disgruntled and wanting to cause harm by stealing private documents, promptly ending access to their computer system upon first indication of a serious problem, or something as simple as escorting them out of the building before they have the opportunity to engage in that kind of behavior, is something that should be done.”
With that said, there is no way to guarantee that sensitive data will be completely protected.
“There are certainly technological measures that can be implemented, but the weak link is almost always going to be dependent on human error,” Decotiis’ Abbate says. “At the end of the day, hackers are coming up with new ways to break into systems. It all comes down to having the proper security measures, educating employees and following the proper steps in notifying individuals and/or law enforcement if a breach were to occur.”
All-in-all, companies have to “be aware of obligations they have in retaining and protecting various forms of data,” Boxer says. “If they are unsure, they need to carefully review with their counsel and other professionals to determine exactly what their requirements are. There is no ‘cookie cutter’ type approach as every circumstance is different. However, by following the proper guidelines set forth by federal and state regulations, businesses can greatly mitigate the risks involved with retaining, protecting and destroying sensitive business and personal data.”