This year has been off to a busy start when it comes to legislation and regulatory news happening around the world, as you’ll see in this quarter’s Legal and Information Governance (IG) Update.
Our mission is to empower you with the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible. We’ve researched a variety of areas, including data privacy and security, records retention, financial services, payment processing, workplace safety, and back-office refresh to provide you with a comprehensive update.
We also include notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.
We’re committed to keeping you informed with the latest regulatory and provisional information. Thank you for your continued readership and stay tuned for future updates!
California – New Disclosure Obligations for Lenders:
A new commercial financing disclosure regulation proposed by the California Department of Financial Protection and Innovation (DFPI) took effect on December 9, 2022.
- Providers of sales-based financing (commercial financing transaction repaid by a recipient to the financer as a percentage of sales or income, in which the payment amount increases and decreases according to the volume of sales made or income received by the recipient) are instructed to maintain specific documents relating to estimated monthly sales, income, or receipts projection while they are in effect and for a period of 4 years thereafter.
Cited in Virgo as, “CAL. CODE REGS. tit. 10, § 930” under the subheading, “Commercial Financing Disclosures – Estimates – Sales-Based financing – Historical Method”.
- Financers must provide a copy of compliant disclosures whenever they provide a specific commercial financing offer and maintain a copy of the evidence of transmission for a period of at least 4 years following the date the disclosure is presented to the recipient. Providers shall maintain a copy of each disclosure that it generates for the same period.
Cited in Virgo as, “CAL. CODE REGS. tit. 10, § 952” under the subheading, “Commercial Financing Disclosures – Duties of Financers and Brokers”.
California – Online Marketplaces Laws:
Beginning July 1, 2023, online marketplaces must require high-volume, third-party sellers to provide specific information, including contact information, bank account number, and the name of the payee for payments issued by the marketplace. This information must be kept by the online marketplace for no less than 2 years.
What is considered an “online marketplace”? Under these new laws, a wide range of consumer-focused digital platforms may qualify as marketplaces. In addition to covering marketplaces allowing third parties to buy and sell products on their platform, marketplaces that facilitate third-party payments for consumer products are also covered, as are marketplaces facilitating or enabling third-party shipping and delivery of consumer products.
Cited in Virgo as, “CAL. CIV. CODE § 1749.8.3” under the subheading, “Online marketplace; information maintenance”.
New York – Warehouse Worker Protection Law:
Effective February 19, 2023, the Warehouse Worker Protection Act (WWPA) seeks to protect warehouse workers from unreasonably demanding work quotas. A new recordkeeping rule requires employers of 100 or more employees at a single warehouse or 500 or more employees at one or more warehouses to preserve accurate records of the following:
- Each employee’s own personal work speed data;
- The aggregated work speed data for similar employees at the same establishment; and
- The written descriptions of the quota that such employee was provided.
These records shall be maintained throughout the duration of each employee’s period of employment. After an employee’s separation, records relating to the 6-month period prior to the date of the employee’s separation must be preserved for at least 3 years after separation.
Cited in Virgo as, “N.Y. LABOR LAW § 784” under the title, “Warehouse Worker Protection Act”.
New York – New Compensation Transparency Law:
On December 21, 2022, New York Governor, Kathy Hochul, signed the state’s compensation transparency bill into law. Effective September 17, 2023, all private employers with four or more employees are required to include salary ranges and a job description for all advertised jobs, promotions, and transfer opportunities. For positions that are paid on a commission basis, the advertisement must include a “general statement” along the lines of “compensation shall be based on commission.”
An employer shall keep and maintain necessary records to comply with the requirements of this section including, but not limited to, the history of compensation ranges for each job, promotion, or transfer opportunity and the job descriptions for such positions, if such descriptions exist.
Cited in Virgo as, “N.Y. LABOR LAW § 194-b” under the subheading, “Payment of Wages – Mandatory disclosure of compensation or range of compensation”.
Survey Report: ARMA International’s 2021 Information Governance (IG) Maturity Index
ARMA International’s 2021 Information Governance (IG) Maturity Index Survey and Report, sponsored by Access, aligns with the organization’s Information Governance Implementation Model (IGIM). It was designed to be a simple and repeatable assessment of IG maturity across the seven key…
United Kingdom – New Requirements for Internet-Connectable Products:
This new Act, which became law in December 2022, imposes security-related requirements for organizations that make, import, or distribute any products capable of connecting to the internet or a network.
Noteworthy records retention requirements state that manufacturers of “relevant connectable products” must maintain records of any investigations carried out by the manufacturer in relation to a compliance failure and any compliance failures relating to the product for 10 years. Similarly, importers of these products must also maintain records of investigations done by the importer in relation to a compliance failure, or suspected compliance failure by the importer or the manufacturer for 10 years.
Guidance from the Department for Digital, Culture, Media & Sport includes a list of products governed by this Act, including:
- Connected cameras, TVs, and speakers
- Connected children’s toys and baby monitors
- Connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- Outdoor leisure products, such as handheld connected GPS devices that are not wearables
- Connected home automation and alarm systems
- Connected appliances, such as washing machines and refrigerators
- Smart home assistants
Cited in Virgo as, “Product Security and Telecommunications Infrastructure Act 2022, c. 46, Art. 12”.
USA – New Cybersecurity Obligations for VA Contractors:
The U.S. Department of Veterans Affairs (VA) updated its contractor cybersecurity and privacy practice regulations. These efforts include better-protecting contractor systems that handle sensitive VA information and establishing breach notification requirements. Government contractors take note— these regulations stipulate how records must be maintained and include rules relating to secure destruction.
48 CFR 852.204-71(f)(4): When information, data, documentary material, records, and/or equipment is no longer required, it shall be returned to the VA or the Contractor/subcontractor must hold it until otherwise directed. Items returned will be hand carried, securely mailed, emailed, or securely electronically transmitted to the Contracting Officer or to the address as provided in the contract or by the assigned COR, and/or accompanying BAA. Depending on the method of return, the Contractor/subcontractor must store, transport, or transmit VA sensitive information, when permitted by the contract using VA–approved encryption tools that are, at a minimum, validated under Federal Information Processing Standards (FIPS) 140–3 (or its successor).
(f)(6): The Contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the contract or to preserve electronic information stored on the Contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.
(f)(10): If the Contractor or subcontractor discloses information on behalf of VHA, the Contractor and/or subcontractor must maintain an accounting of disclosures. Accounting of Disclosures documentation maintained by the Contractor/subcontractor will include the name of the individual to whom the information pertains, the date of each disclosure, the nature or description of the information disclosed, a brief statement of the purpose of each disclosure, or in lieu of such statement, a copy of a written request for a disclosure and the name and address of the person or agency to whom the disclosure was made.
Cited in Virgo as, “48 C.F.R. § 852.204–71” under the title, “Federal Acquisition Regulations System – Department of Veterans Affairs” and subheading, “Solicitation Provisions and Contract Clauses – Information and Information Systems Security”.
USA – New FDA Rule for Traceability Records for Certain Foods:
On November 15, 2022, the FDA issued the final rule on Requirements for Additional Traceability Records for Certain Foods to establish traceability recordkeeping requirements beyond those in existing regulations for persons who manufacture, process, pack, or hold foods included on the Food Traceability List (FTL). These new requirements allow for faster identification and rapid removal of potentially contaminated food from the market, resulting in fewer foodborne illnesses.
At the core of this rule is a requirement that persons subject to the rule who manufacture, process, pack, or hold foods on the FTL maintain records containing Key Data Elements associated with specific Critical Tracking Events for 2 years from the date of creation.
The FTL final list includes:
- All fresh-cut fruits and vegetables
- Certain other fresh produce: leafy greens, cucumbers, peppers, tomatoes, tropical tree fruits, sprouts, herbs, melons
- Certain fresh and frozen finfish
- Fresh and frozen smoked finfish
- Fresh and frozen crustaceans
- Fresh and frozen molluscan shellfish, bivalves
- Certain cheeses
- Shell eggs
- Nut butters
- Ready-to-eat deli salads
Various citations in Virgo from, “21 C.F.R. § 1.1305” through “21 C.F.R. § 1.1455” under the subheading, “Additional Traceability Records for Certain Foods: Traceability Plan”.
European Union – New Cybersecurity Law:
The new EU-wide cyber law, Directive 2022/2555 (NIS2 Directive), entered into force on Monday, January 16, 2023. It sets a baseline for cybersecurity risk management measures and reporting obligations for all sectors classified as high criticality, such as:
- Financial market infrastructures
- Drinking Water
- Digital infrastructure
Various citations in Virgo under the title, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)”.