This year has been off to a busy start when it comes to legislation and regulatory news happening around the world, as you’ll see in this quarter’s Legal and Information Governance (IG) Update.
Our mission is to empower you with the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible. We’ve researched a variety of areas, including data privacy and security, records retention, financial services, payment processing, workplace safety, and back-office refresh to provide you with a comprehensive update.
We also include notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.
We’re committed to keeping you informed with the latest regulatory and provisional information. Thank you for your continued readership and stay tuned for future updates!
A new commercial financing disclosure regulation proposed by the California Department of Financial Protection and Innovation (DFPI) took effect on December 9, 2022.
Cited in Virgo as, “CAL. CODE REGS. tit. 10, § 930” under the subheading, “Commercial Financing Disclosures – Estimates – Sales-Based financing – Historical Method”.
Cited in Virgo as, “CAL. CODE REGS. tit. 10, § 952” under the subheading, “Commercial Financing Disclosures – Duties of Financers and Brokers”.
Beginning July 1, 2023, online marketplaces must require high-volume, third-party sellers to provide specific information, including contact information, bank account number, and the name of the payee for payments issued by the marketplace. This information must be kept by the online marketplace for no less than 2 years.
What is considered an “online marketplace”? Under these new laws, a wide range of consumer-focused digital platforms may qualify as marketplaces. In addition to covering marketplaces allowing third parties to buy and sell products on their platform, marketplaces that facilitate third-party payments for consumer products are also covered, as are marketplaces facilitating or enabling third-party shipping and delivery of consumer products.
Cited in Virgo as, “CAL. CIV. CODE § 1749.8.3” under the subheading, “Online marketplace; information maintenance”.
Effective February 19, 2023, the Warehouse Worker Protection Act (WWPA) seeks to protect warehouse workers from unreasonably demanding work quotas. A new recordkeeping rule requires employers of 100 or more employees at a single warehouse or 500 or more employees at one or more warehouses to preserve accurate records of the following:
These records shall be maintained throughout the duration of each employee’s period of employment. After an employee’s separation, records relating to the 6-month period prior to the date of the employee’s separation must be preserved for at least 3 years after separation.
Cited in Virgo as, “N.Y. LABOR LAW § 784” under the title, “Warehouse Worker Protection Act”.
On December 21, 2022, New York Governor, Kathy Hochul, signed the state’s compensation transparency bill into law. Effective September 17, 2023, all private employers with four or more employees are required to include salary ranges and a job description for all advertised jobs, promotions, and transfer opportunities. For positions that are paid on a commission basis, the advertisement must include a “general statement” along the lines of “compensation shall be based on commission.”
An employer shall keep and maintain necessary records to comply with the requirements of this section including, but not limited to, the history of compensation ranges for each job, promotion, or transfer opportunity and the job descriptions for such positions, if such descriptions exist.
Cited in Virgo as, “N.Y. LABOR LAW § 194-b” under the subheading, “Payment of Wages – Mandatory disclosure of compensation or range of compensation”.
This new Act, which became law in December 2022, imposes security-related requirements for organizations that make, import, or distribute any products capable of connecting to the internet or a network.
Noteworthy records retention requirements state that manufacturers of “relevant connectable products” must maintain records of any investigations carried out by the manufacturer in relation to a compliance failure and any compliance failures relating to the product for 10 years. Similarly, importers of these products must also maintain records of investigations done by the importer in relation to a compliance failure, or suspected compliance failure by the importer or the manufacturer for 10 years.
Guidance from the Department for Digital, Culture, Media & Sport includes a list of products governed by this Act, including:
Cited in Virgo as, “Product Security and Telecommunications Infrastructure Act 2022, c. 46, Art. 12”.
The U.S. Department of Veterans Affairs (VA) updated its contractor cybersecurity and privacy practice regulations. These efforts include better-protecting contractor systems that handle sensitive VA information and establishing breach notification requirements. Government contractors take note— these regulations stipulate how records must be maintained and include rules relating to secure destruction.
48 CFR 852.204-71(f)(4): When information, data, documentary material, records, and/or equipment is no longer required, it shall be returned to the VA or the Contractor/subcontractor must hold it until otherwise directed. Items returned will be hand carried, securely mailed, emailed, or securely electronically transmitted to the Contracting Officer or to the address as provided in the contract or by the assigned COR, and/or accompanying BAA. Depending on the method of return, the Contractor/subcontractor must store, transport, or transmit VA sensitive information, when permitted by the contract using VA–approved encryption tools that are, at a minimum, validated under Federal Information Processing Standards (FIPS) 140–3 (or its successor).
(f)(6): The Contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the contract or to preserve electronic information stored on the Contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.
(f)(10): If the Contractor or subcontractor discloses information on behalf of VHA, the Contractor and/or subcontractor must maintain an accounting of disclosures. Accounting of Disclosures documentation maintained by the Contractor/subcontractor will include the name of the individual to whom the information pertains, the date of each disclosure, the nature or description of the information disclosed, a brief statement of the purpose of each disclosure, or in lieu of such statement, a copy of a written request for a disclosure and the name and address of the person or agency to whom the disclosure was made.
Cited in Virgo as, “48 C.F.R. § 852.204–71” under the title, “Federal Acquisition Regulations System – Department of Veterans Affairs” and subheading, “Solicitation Provisions and Contract Clauses – Information and Information Systems Security”.
On November 15, 2022, the FDA issued the final rule on Requirements for Additional Traceability Records for Certain Foods to establish traceability recordkeeping requirements beyond those in existing regulations for persons who manufacture, process, pack, or hold foods included on the Food Traceability List (FTL). These new requirements allow for faster identification and rapid removal of potentially contaminated food from the market, resulting in fewer foodborne illnesses.
At the core of this rule is a requirement that persons subject to the rule who manufacture, process, pack, or hold foods on the FTL maintain records containing Key Data Elements associated with specific Critical Tracking Events for 2 years from the date of creation.
The FTL final list includes:
Various citations in Virgo from, “21 C.F.R. § 1.1305” through “21 C.F.R. § 1.1455” under the subheading, “Additional Traceability Records for Certain Foods: Traceability Plan”.
The new EU-wide cyber law, Directive 2022/2555 (NIS2 Directive), entered into force on Monday, January 16, 2023. It sets a baseline for cybersecurity risk management measures and reporting obligations for all sectors classified as high criticality, such as:
Various citations in Virgo under the title, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)”.
To learn more about how to address records retention, data privacy, and security requirements more efficiently, request a call with an Access expert or request a product demonstration of Virgo.
Share