New ATF Ruling Allows Cloud-Based Storage of Acquisition and Disposition Records
The ATF has just released a new ruling—ATF Ruling 2016-1[1]—that modernizes the procedures for federal firearms licensees to keep their acquisition and disposition records in electronic format. The former procedures under ATF Ruling 2013-5[2] allowed FFLs to keep electronic records, but the procedures contained a critical omission. There was no option that would allow FFLs to use cloud-based data storage because the computer server on which the data resided had to be “owned and operated solely” by the FFL. ATF Ruling 2016-1 corrects this omission, and now FFLs will be able to store their acquisition and disposition records electronically and use the cloud to store the data.
The Gun Control Act of 1968 and the ATF’s implementing regulations require FFLs to keep records of their acquisition of firearms and corresponding records of the firearms’ disposition. These records—commonly known as “A&D records”—by law must be kept on an FFL’s business premises. The statute and the regulations, which were written long before businesses commonly used computers, envisioned that an FFL would keep paper documents on its business premises in order to comply with the law. As information technology developed and the benefits of electronic storage of records became obvious, the ATF issued a series of rulings to keep up with these developments. The latest ruling addresses the issue of an FFL using a third party to host the storage of its electronic A&D records.
Under the new ruling, an FFL may keep its A&D records on a server that is not on its business premises and is not owned or operated by the FFL if the following conditions are met: (1) the records must be readily accessible by the FFL during its regular business hours; (2) the facility that hosts the data must have a business premises in the United States and must be subject to United States legal process; and (3) the electronic records must be backed up daily and downloaded by the FFL daily so that the records are safeguarded against data loss. The ruling also requires the FFL to provide the ATF with the name and address of the facility where the data are hosted within 30 days of entering into a contract with a host facility or changing the host facility. The new requirements are detailed, and FFLs must be careful to follow the rules, but the core problem with ATF Ruling 2013-5—not allowing cloud-based data storage— has been solved.
Use of cloud-based data storage opens up a new set of legal issues for FFLs, which are important but which can easily be addressed. If an FFL chooses electronic recordkeeping and elects cloud-based data storage, then it will have to enter into a contract with a vendor. And, when it does so, the FFL will entrust some of its compliance obligations to a third party. This raises two important issues.
An FFL should be very selective when choosing a vendor to store its records and should choose one with experience in the firearms industry. By entering into a contract with a vendor to store records, the FFL will rely on that vendor to act in a manner that complies with ATF Ruling 2016-1. At the same time, the FFL, not the vendor, will be responsible to the ATF if the storage of the electronic records is not in compliance. The FFL should therefore select a vendor that understands the ATF regulatory environment and ensures that its conduct does not risk non-compliance.
When negotiating a contract with a vendor, the FFL should also require terms in the contract that make the vendor financially responsible if the vendor’s conduct results in non-compliance. The ATF will always hold the FFL responsible for non-compliance, and an FFL cannot “outsource” its regulatory responsibility. However, the FFL can require its vendor to bear the financial consequences of non-compliance if the vendor causes the non-compliance. For example, the FFL could require terms in its vendor contract that obligate the vendor to remedy non-compliant aspects of data storage at the vendor’s expense. In addition, the contract could require the vendor to indemnify the FFL against any costs imposed by the non-compliance and could require the vendor to pay the FFL’s legal fees if legal action arises from such non-compliance.
While ATF Ruling 2016-1 raises compliance issues, addressing these issues should not be difficult. The ruling specifically describes the requirements for electronic storage of A&D records, and FFLs, working with qualified vendors, should be able to adopt storage systems that are compliant and provide advanced record-keeping procedures. Moreover, the ruling is part of an effort by ATF to modernize record-keeping, as reflected in two additional rulings released along with 2016-1. In ATF Ruling 2016-2[3], the ATF has revised the procedures for completion of ATF Form 4473 (Firearms Transaction Record) via computer, and in ATF Ruling 2016-3[4], the ATF now allows manufacturers to consolidate their A&D records instead of keeping separate records for different categories of dispositions, as previously required.
[1] https://www.atf.gov/firearms/docs/ruling/2016-1-requirements-keep-firearms-records-electronically/download
[2] https://www.atf.gov/file/11226/download
[3] https://www.atf.gov/firearms/docs/ruling/2016-2-%E2%80%93-electronic-atf-form-4473/download
[4] https://www.atf.gov/firearms/docs/ruling/2016-3-%E2%80%93-consolidation-records-required-manufacturers/download