Is your RIM policy up-to-date? Are you sure?

Over the past decade and a half, mountains of government regulations have arisen, fundamentally changing the compliance landscape and multiplying the duties of busy records managers.

What is a RIM Policy?

A RIM (Records & Information Management) Policy is the internal guidelines that establish your information management program. This program will detail record retention schedules and regulatory compliance with the common information governance frameworks including:

  • GDPR
  • SOX
  • GLBA
  • FASB

This is a complicated a deep topic, but we’ve done our best to simplify and make everything easy to understand. Let’s get to it!

Why So Many Rules?

In the U.S., the 9-11 event and the corruption scandals at companies like Enron led to stricter laws designed to prevent money laundering and fraud in the early 2000s, including the Sarbanes-Oxley Act. After the financial crisis of 2007-2009, the Dodd-Frank Act further tightened restrictions to prevent bribery and other problems, though there is now a movement to roll some of the legislation back.

As organizations increasingly began storing sensitive customer and employee information online, governments responded to privacy concerns with laws like HIPAA in the U.S. and the GDPR in Europe.

To comply with the new rules, organizations have had to make sweeping changes to their recordkeeping and governance policies. And as any records manager today knows, change is never a once-and-done affair. Laws continue to evolve, often following in the footsteps of rapidly-changing technology. It’s tough to keep up, and penalties for noncompliance are severe.

Here’s a brief overview of some of the recordkeeping aspects of recent legislation and accounting rules that you need to be aware of.


The Health Insurance Portability and Accountability Act (HIPAA) was passed to ensure the confidentiality, integrity and availability of protected health information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH tightened HIPPA rules and increased penalties for violations by 6,000 percent.

Who is affected: Healthcare organizations and companies who provide services to them.

Recordkeeping requirements: Physical and electronic safeguards. Federal and state retention requirements. Old documents must be shredded. An act as simple as an employee tossing a piece of paper in the trash can could result in a fine.

Penalties: Anywhere from $100 to $50,000 per violation, and up to $1,5 million per category/per year.  


The Fair and Accurate Credit Transaction Act (FACTA) was designed to reduce consumer fraud and identity theft.

Who is affected: Any companies that use consumer credit reports.

Recordkeeping requirements: Document destruction that prevents files from being reconstructed, including burning, pulverizing, or shredding. Digital data must also be erased.

Penalties: Federal fine of up to $2,500 per violation. States may also impose fines of up to $1,000 per violation.


The Family Educational Rights and Privacy Act (FERPA) was passed in 1974, long before computers existed, to protect the privacy of student records and allow parents to review them. Today, it also gives parents and adult students the right to opt out of sharing their information with third parties.

Who is affected: Schools that receive federal funds.

Recordkeeping requirements: Requires schools to set and enforce their own policies.  FERPA does not dictate the method or duration of the record storage and destruction. Watch for updates; some organizations are pushing for fines.

Penalties: Withdrawal or termination of federal funding.


The European Union’s massive new General Data Protection Regulation, which came into effect in May, gives EU citizens rights for controlling how data about them is collected and used. People must consent to data collection and can request copies of the information organizations collect. In some cases, they can have their data deleted. The law also has provisions for reporting a data breach.

Who is affected: Any organization that that processes the personal data of EU citizens. If EU customers land on your website and you collect their information, the law applies to you.

Recordkeeping requirements: Familiarize yourself with the new law and develop a governance policy. Watch for possible adaptations in the U.S. and elsewhere, such as California’s new Consumer Privacy Act.

Penalties: The EU has said it will go easy on organizations for the first year, but it is allowed to impose fines of up to 20 million Euros or 4 percent of annual revenue.


The Sarbanes-Oxley Act was passed in the wake of scandals at Enron, Tyco, and WorldCom to prevent corporate fraud and accounting errors.

Who is affected: Publicly traded companies and accounting firms.

Recordkeeping requirements: SOX makes it a federal crime to destroy or tamper with corporate accounting records. All financial policies, procedures, and records must be available for review by auditors with little notice. Included in the scope of document review are electronic records, including web pages, emails, voicemails, and recorded calls.

Penalties: $5 million or more in fines and 20 years in prison  


The Gramm–Leach–Bliley Act requires financial institutions to design safeguards to protect consumer information. They must be transparent about the information they are collecting.

Who is affected: Any company that offers consumers loans, investment advice, or insurance.

Recordkeeping requirements: Must provide all new customers with a privacy notice. Notice must be re-approved annually. Must be able to describe in detail the steps you take to protect customer information.

Penalties: Up to $100,000 per violation and five years in prison.

New FASB Accounting Standards

The Financial Accounting Standards Board (FASB), which administers GAAP rules, has issued four new standards that are taking effect gradually over the next few years. GAAP rules are not laws and do not carry enforcement penalties. But they are necessary for credibility, and most companies treat them like laws These are major changes that call for new disclosures and reporting requirements. Here’s a summary with links to the rules:

Not-for-profit standard

Who is affected: charities, foundations, colleges and universities, health care providers, religious organizations, trade associations, cultural institutions.

Deadline: already in effect for annual financial statements. For interim statements, must start by December 15, 2018.

Recordkeeping requirements: New disclosures, including a narrative explanation of policies for managing funds and a quantification of liquid assets. A more detailed accounting of expenses.

Revenue recognition standard

Who is affected: Almost all companies, public and private.

Deadline: Already in effect for public companies. Private companies must start implementing December 15, 2018.

Recordkeeping requirements: Additional revenue disclosures, including documenting contract specifications about the timing, amount, and type of deliverables. Changes to the timing of revenue recognition.

Lease standard

Who is affected: Any company that leases assets, including real estate, airplanes, ships, or construction or manufacturing equipment.

Deadline: For annual statements and public company interim statements, December 15, 2018. For private company interim statements, December 15, 2020.

Recordkeeping requirements: Additional disclosures about amount, timing, and uncertainty of cash flows. Disclosure of contract terms such as variable payments and renewal options.

Credit loss standard

Who is affected: Banks and finance companies.

Deadline: For public companies filing with the SEC, December 15, 2019. For public companies not filing with the SEC, December 15, 2020. For private companies, December 15, 2020 for annual statements and December 15, 2021 for interim statements.

Recordkeeping requirements: Changes the method of reporting credit losses from “incurred loss” model to “probable loss” model.

In a world awash with new regulations and constant updates, records managers must become more efficient than ever. Some state and federal laws overlap, so you should map out all the regulations to address redundancy. And don’t be afraid to get outside help when you need it. It will cost your company a lot less than paying a fine.

More RIM Policy Resources

Shaun Stevens has over twenty years of experience in the records management industry, focused on business development, marketing and operations. He serves as the leader of national accounts for Access.