Long before the rise of electronic records, recordkeeping was a generally static process of filing paper documents and copies into neatly-organized and clearly-labeled files and folders. Long-term storage meant packing these files and folders into numbered boxes indexed on a master list, and stacking them in a storage closet or offsite facility. The standard record retention policy was a list of types of records -- "Correspondence", "Financial Statements", "Invoices" and so forth -- along with the number of years each type of record must be maintained. Document destruction policies were all but nonexistent: once the filing boxes became so old they could no longer hold the files, the contents were deemed more or less beyond their limit of utility and thrown out. A document privacy and security policy was a lock on the filing closet door.
The Enron/Arthur Anderson scandal in 2001 was perhaps the most memorable event that spurred greater public focus on what was largely considered back- office details that rarely rose to upper management-level concerns. In the post-Enron/Arthur Anderson era, however, records and information management began to focus increasingly on content rather than form, as the information contained in the records became much more important than the form in which the records were kept.1
Perhaps more significantly, public outrage was sparked by allegations that Enron/Arthur Anderson continued shredding sensitive documents even as Congress and other authorities were investigating wrongdoing at those companies. Thus, the Enron/Arthur Anderson scandal also highlighted the need for increased scrutiny of document destruction policies. Additionally, the scandal also increased the pressure for further legal reforms to regulate information management and to punish improper document destruction.2
However, the federal government emphasized information privacy issues long before Enron. The Health Insurance Portability and Accountability Act, also known as HIPAA, was originally passed in 1996, and the insurance industry has labored under its rules and restrictions ever since.3 The federal rulemaking process regarding privacy rules under HIPAA was not complete until December of 2000 when the final HIPAA Privacy Rule was adopted. Even then, the federal Department of Health and Human Services adopted modifications to the standards for Privacy of "Individually Identifiable Health Information" under HIPAA in 2002, finalizing the privacy requirements of the HIPAA law and strengthening provisions related to protected health information.4
On the financial information side, the Gramm-Leach-Bliley Act, also known as GLB, was enacted in 1999 and included restrictions on the use of "nonpublic personal information" by financial institutions and other privacy protections for consumers. GLB also reflected an increasing concern about information security by setting criminal penalties for fraudulent access to financial information.5
GLB touched the insurance industry, as well, and the National Association of Insurance Commissioners (NAIC) responded. In 2000, the NAIC issued its Privacy of Consumer Financial and Health Information Model Regulation to address the GLB requirements related to the privacy of insurance consumers and their personal information.6 A number of states took action to put the privacy protections of the Model Regulation into law.
The NAIC initially published a model act regarding record retention in 1994 in conjunction with its unfair practices model rules. However, this first model was extensively amended and updated by the NAIC as the Market Conduct Record Retention and Production Model Regulation in 2004. The Record Retention Model Act was focused primarily on the retention and maintenance of records required for market conduct examinations and related regulatory purposes, but it nevertheless reflected a growing concern in the insurance industry regarding recordkeeping practices and standards.7
Thus, driven largely by litigation and discovery concerns, as well as rising regulatory requirements for record retention and the increasing cost of storing massive amounts of paper data, recordkeeping slowly began a modernization. Record retention policies became more extensive and more detailed, and began to include record destruction features: confidential records were shredded and stale documents were destroyed according to a schedule based on record type.
Government regulations requiring the retention of records for certain periods of time increased, and requirements that certain records be specifically preserved in the event of litigation, or even the threat of litigation, developed. Additionally, privacy concerns regarding medical and financial records kept by businesses started to emerge in the form of state and federal information privacy laws.
The emergence of electronic records stoked the pace of modernization of recordkeeping significantly. Not only were electronic records being generated and stored on electronic sources, but electronic media were available to store copies of physical records. Record retention and destruction policies were revised and supplemented to try to integrate and encompass electronic records, but the clean categories of paper records often proved an ill fit for electronic records, especially as electronic mail (e-mail) became an ever-increasing part of the workflow of many offices and businesses.
An example of the increased focus on electronic recordkeeping comes again from the realm of healthcare. In 2009, the Health Information Technology for Economic and Clinical Health Act, abbreviated as the HITECH Act, was appended to HIPAA and it "proposes the meaningful use of interoperable electronic records through the United States health care delivery system as a critical national goal."8 The phrase "meaningful use" is a term of art stemming from a number of criteria that electronic health records must meet under the HITECH Act.
Significantly, the NAIC amended its Market Conduct Record Retention and Production Model Act in 2003 to address the electronic retention of records along with methods for retention using a variety of media forms.9
Moving forward, not only did privacy concerns increase, but security concerns also increased as the vulnerability of electronic records to theft, misuse, corruption and destruction was exposed. This has resulted in increased laws and regulations not only protecting the privacy of information, but also imposing security and integrity requirements on recordkeepers.
Today, the prevalence and convenience of electronic communication has brought recordkeeping into an entirely new era. Email has become the lifeblood of some companies, and an indispensable part of business for many more. Contracts that once required stacks of paper documents signed in multiple originals by the principals -- often in person at the same time -- can now be executed as electronic transactions by the principals from their home offices, reducing closing costs and increasing productivity.
Increasingly, electronic records are becoming the norm, and the importance of physical records has diminished. More businesses are "going paperless" to reduce the amount of physical records and storage necessary, reducing overhead costs. The insurance industry has, in many cases, quietly been at the forefront of the electronic revolution, being among the first industries to recognize the benefits of technology and electronic transactions.
Federal and state laws and regulations have continued to modernize, as well, encompassing broad definitions of the types of records that must be retained, protected and secured. These regulations can change relatively quickly, as new developments in business or technology expand the landscape of electronic information. The privacy, security and integrity of records have become three distinct concerns under the law, imposing different duties and obligations on the recordkeeper as well as stiffer penalties for violations.
E-discovery has become increasingly prominent in litigation and criminal sanctions for the destruction of records in the face of litigation are pervasive. Specialized consulting firms now employ cutting-edge computer forensics and technology to explore computer systems to investigate data corruption and destruction concerns.
A static list of clean categories of documents and records, formulated once and never reviewed or revised again, is no longer sufficient to serve as a record retention policy. Recordkeeping is no longer the end product of a business process or transaction execution resigned to a clerk in the back room of the office.
Recordkeeping has now become an active process that requires the informed and reliable participation of an insurance company's officers and employees at all levels. Record retention and destruction policies must focus on the process of record development, storage and elimination, not just the outcome, and these policies must be periodically reviewed and revised.
Information privacy, security and integrity must each be addressed independently with respect to both the transmission and storage of data. Processes and procedures should be prepared to facilitate an efficient and effective response to any breach, or attempted breach, of the systems that store, transmit, protect and secure information.
Public awareness has created an increased expectation of information privacy -- that is, a business must ensure that the information it maintains is protected from unauthorized public disclosure or use, and that such information generally remains inaccessible except to those who need access to it to produce the products or services of the business. Specific classes of data, such as healthcare records and criminal proceedings, have heightened information privacy concerns, including legal requirements and sanctions for violations.
Data security is another distinct area of concern. Insurance companies and other businesses have an increasing responsibility to ensure that the information and records they receive, use, store and send are protected from theft or unauthorized use -- by both outside parties and their own employees. Data security breach laws aimed at certain types of information, such as personal financial information, impose significant duties on a business with respect to a data breach, or even an attempted breach. These obligations often include notification to all individuals whose information may have been accessed, and are usually enforceable by significant penalties.
While there is no comprehensive federal legislation on data security breach, there are a number of federal laws, rules and regulations, including HIPAA and GLB as discussed previously, that require certain industry sectors to protect personal information and to provide notification in the event that personal information is exposed to a security breach. The first state law requiring database security breach notification was enacted in California in 2002. As of 2012, approximately forty-six states, as well as the District of Columbia, Puerto Rico and the Virgin Islands have laws requiring notification regarding the security breach of personal data or information held, maintained or controlled by a business or other third-party.10
Record integrity, which can be seen as a subset of data security, concerns the unauthorized alteration or corruption of information. While not currently as significant an issue as information privacy or data security, companies should ensure that the information security protections they put into place also protect the integrity of the data records.
Recordkeepers must also remain up-to-date on current federal and state laws and regulations regarding data security and information privacy and record integrity, as well as potential triggers of heightened duties in these areas, such as the receipt of personal medical information or the commencement of litigation.
For example, new amendments to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules became effective on March 26, 2013. These new amendments, among other revisions and restrictions, prohibit most health plans from using or disclosing genetic information for underwriting purposes. These amendments also make business associates of covered entities directly liable for compliance with certain of the HIPAA requirements relative to privacy and security.11
In conclusion, recordkeeping has moved from file-and-forget to an area of potential pitfalls, legal obligations, heightened consumer expectations and, most notably, increased liability. An insurance company or other business that fails to adequately protect and secure the information it receives, transmits and utilizes can face regulatory action, including fines and penalties, as well as increased exposure to private lawsuits. Increased consumer privacy sensitivity and media scrutiny can mean that an otherwise minor lapse in security could result in significant damage to business reputation and good will. Additionally, an insurance company or other business may face increased costs and expenses in complying with legally mandated requirements set forth in data security breach notification laws.
Protecting an insurance company or other business from these various pitfalls and ensuring a company remains in compliance with the law is a multifaceted concern. New forms of liability protection, such as data security breach insurance and security breach notification services, have developed to help businesses protect themselves from the costs, expenses and legal mandates associated with data breach incidents. These products and services are tools that should form part of a company's comprehensive effort to secure its data and to protect itself from the potential consequences of a security or privacy breach.
More importantly, however, an insurance company or other business must develop modern, active data security protocols and information protection policies, and it should update these protocols and policies on a regular, systematic basis. The development of these protocols and policies, as well as their ongoing review and updating, should include consultation with a knowledgeable legal professional to determine the applicable statutory and regulatory requirements, as well as areas of potential liability such as fines, penalties and private lawsuits.
1. Dietal, J. Edwin. "Recordkeeping Integrity: Assessing Records' Content After Enron." The Information Management Journal. May/June 2003, p. 43.
2. Stranger, Andrew J. "Document Destruction After Enron: Interpreting the New Sarbanes-Oxley Obstruction Statutes." 5 U.C. Davis Bus. L.J. 13 (2005).
3. The Health Insurance Portability and Accountability Act of 1996,Public Law 104-191, enacted August 21, 1996.
4. Standards for Privacy of Individually Identifiable Health Information;Final Rule. 67 FR 53781. 45 CFR Parts 160 and 164. Effective October 15,2002.
5. The Gramm-Leach-Bliley Act, Public Law 106-102, enacted November 12,1999. Also known as the Financial Services Modernization Act of 1996.
6. Privacy of Consumer Financial and Health Information Regulation. NAIC MDL-672.
7. Market Conduct Record Retention and Production Model Regulation.NAIC MDL-910. Legislative History.
8. Center for Disease Control and Prevention. "Meaningful Use:Introduction.http://www.cdc.gov/ehrmeaningfuluse/introduction.html (as of April, 2013).
9. Market Conduct Record Retention and Production Model Regulation. NAIC MDL-910. Legislative History.
10. Stevens, Gina. "Data Security Breach Notification Laws." Congressional Research Service, 7-5700, R42275. April 10, 2012.http://www.fas.org/sgp/crs/misc/R42475.pdf (as of April, 2013). Also known as "Federal Information Security and Data Breach Notification Laws."
11. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act;Other Modifications to the HIPAA Rules; Final Rule. 78 FR 5565. 45 CFR Parts 160 and 164. Effective March 26, 2013.