Sarbanes-Oxley Act (SOX): Federal law that sets requirements for financial records retention and corporate accountability. Organizations must maintain accurate financial records and implement internal controls for data retention.
Health Insurance Portability and Accountability Act (HIPAA): Federal law governing the protection and retention of healthcare data. Requires specific backup and retention policies for protected health information (PHI).
Gramm-Leach-Bliley Act (GLBA): Federal law requiring financial institutions to explain their information-sharing practices and protect sensitive data. Includes specific requirements for data backup and retention.
Federal Rules of Civil Procedure (FRCP): Federal rules establishing requirements for electronic discovery in legal proceedings, including the preservation and production of electronically stored information (ESI).
Family Educational Rights and Privacy Act (FERPA): Federal law protecting the privacy of student education records, including requirements for how educational institutions must maintain and protect these records.
Fair Labor Standards Act (FLSA): Federal law requiring retention of employment records, including payroll records, time cards, and other employee-related documentation.
IRS Requirements: Federal tax regulations requiring businesses to maintain tax records and supporting documentation for specific periods, typically at least three years.
Payment Card Industry Data Security Standard (PCI DSS): Industry standard for organizations that handle credit card information, including specific requirements for data backup and retention.
FDA 21 CFR Part 11: Federal regulation establishing requirements for electronic systems that maintain records for FDA-regulated industries, including pharmaceutical and medical device companies.
SEC Rule 17a-4: Securities and Exchange Commission rule specifying retention requirements for broker-dealers, including requirements for electronic storage media and data retention periods.
State Data Breach Notification Laws: Various state-specific laws requiring organizations to notify individuals when their personal information has been compromised, with implications for data retention and security.
California Consumer Privacy Act (CCPA): California state law providing privacy rights and data protection for California residents, including specific requirements for data retention and consumer access.
SHIELD Act: New York state law requiring businesses to implement safeguards for private information of New York residents and establish data retention policies.
General Data Protection Regulation (GDPR): European Union regulation with global impact, establishing requirements for processing and retaining personal data of EU residents.
Personal Information Protection and Electronic Documents Act (PIPEDA): Canadian federal privacy law establishing rules for how private sector organizations collect, use, and disclose personal information.
NIST Guidelines: Technical standards and guidelines developed by the National Institute of Standards and Technology for data security and retention practices.
ISO/IEC 27001: International standard providing requirements for information security management systems, including guidelines for data backup and retention.
