Laws and Industry Standards Defining and Regulating Sensitive Data
Mass. Identity Theft Prevention Law
Signed into law on August 3, 2007, the state's Identity Theft Protection Law stipulates what the state considers protected personal data, steps to take in the event of a breach, and the ways in which personal data must be destroyed.
Family Education Rights and Privacy Act
FERPA addresses sensitive private information about students. Colleges can disclose directory information, unless the student requests that it not do so, but strict restrictions apply to the disclosure of a student's educational records and personally identifiable information other than directory information. For instance, a college can not, itself, disclose a student's grades nor any other information from the educational record to his or her parents. On the other hand, the College cannot make available to students the financial records of the parents of the students.
Importantly, while student medical records maintained by physician or other medical professional are not subject to FERPA, once the records are shared with the student/patient or anyone at the College they are considered educational records and, for this reason, covered under FERPA rather than HIPAA (see below). This includes student-athlete medical information. Notably, FERPA considers all students enrolled in postsecondary educational institutions as having rights and responsibilities for their educational records. HIPAA does not transfer analogous rights from the parent to the child until the child is eighteen.
December 9, 2008 New FERPA information
Health Insurance Portability and Accountability Act
HIPAA addresses protected health information of employees and students. Guidance for complying with HIPAA security requirements is provided by the Centers for Medicare & Medicaid Services. CMM is neutral on technology matters, though there is an expectation of some form of access controls, unique user authentication, emergency access procedure, automatic logoff, encryption and decryption, audit controls, and data integrity safeguards.
Electronic Communications Privacy Act
ECPA broadly prohibits the unauthorized use or interception by any person of the contents of any wire, oral, or electronic communication. It also prohbits unauthorized access to or disclosure of electronically stored communications. ECPA has different standards for public and private electronic communication services. In the context of a college, the correct application of ECPA may depend on the nature of the role of the individual or the relationship between the individual and the institution.
USA Patriot Act
Cyber Security Enhancement Act
Institutional Review Board: Human Subject Research
Primarily relevant to research conducted by members of the department of psychology, Institutional Research, and IT/ATS.
Technology, Education, and Copyright Harmonization Act
TEACH extends certain Fair Use exceptions of Copyright law to online teaching environments. Colleges, faculty members, and students need to follow specific access and use conditions when working with content under copyright, however. In brief, copyrighted material can only be accessible online to faculty members teaching formal courses and students enrolled in the course for the period that the course is taught. They cannot distribute the material to those outside of the course nor retain a copy at the end of the course.
In 2002 the FTC ruled that colleges are considered financial institutions under GLBA and must adhere to the requirements for handling the sensitive private data of "customers" included in the Act. We must "develop, implement, and maintain a comprehsive written information security program that contains administrative, technical, and physical safeguards." The Act defines non-public personal information as "personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." The rules require colleges to 1) designate an employee or employees to coordinate their information security program; 2) identify reasonable, foreseeable internal and external risks the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information; 3) our risk assessment and actions should include employee training and oversight, IT systems, data processing, storage, transmission, and disposal; and 4) oversee service providers who work with the private data we collect, manage, etc. so that they adherence to our program, contractually require service providers implement and maintain safeguards, and periodically test, monitor, and update as needed service providers safeguards.
(Stephen, perhaps, could define "customer" in the context of Amherst College. That is, while I think that it clearly covers students and their parents, does it include applicants and alums?) [sjminer] Amherst is considered a financial inst because we process student loans. [pschilling] Yes re: Sandy's statement, but as GLBA was paving the way for banks to move into other industries, the law extends to the ways in which data is shared by multi-functioning entitities. In fact, I read how a key congressional rep signed on to the bill after being embarrassed by receiving Victoria Secret mailings at his Washington DC home. He guessed that his bank had passed on his info to VS, or at least that is what he told his wife. . . .
Federal Rules of Civil Procedure
Amended Civil Rules 16, 26, 33, 34, 37, and 45 address discovery of electronically stored information during legal proceedings.
Payment Card Industry
PCI standards and regulations require any instituion that handles credit card transactions to take specific measures to safegurad credit card data. Any leaking of information from a college site can lead up to and include the termination of all card processing abilities by the college and financial liability for all fraudulent charges to stolen cards for eighteen months.
Individual Contracts and Licenses
Contracts that the College enters into may include an agreement declaring that the terms and conditions of the contract will not be released. In addition, contracts may prohibit the College from releasing trade secrets held by the group or individual with whom the College has entered the contract.
There are, as of August 2006, at least three bills in the US House and at least another three bills in the US Senate which address holding data brokers accountable for the security of personally identifiable information. Some of these laws are quite weak and would allow companies to decide when a security breach warrents discloser. Most would preempt state information security laws.
S 1408 Identity Theft Protection Act
This Act is still in draft form in the Senate. If passed, it will supercede all state security breach notification laws.
- Explicitly subjects "any charitable, educational, or nonprofit organization, that acquires, maintains, or utilizes sensitive personal information" to the provisions of the law.
- Defines sensitive personal information as: "an individual's name, address, or telephone number combined with one or more of the following. . . . (i) Social security number, taxpayer identification number. . . . (ii) Financial account number, or credit card or debit card number of such individual, combined with any required security code, access code, or password that would permit access to such individual's account. (iii) State driver's license identification number or State resident identification number."
- Requirements: "develop, implement, maintain, and enforce a written program for the security of sensitive personal information . . . ( which we) collect, maintain, sell, transfer, or dispose of, (the program must) contain administrative, technical, and physical safeguards: 1) to ensure the security and confidentiality of such data; (2) to protect against any anticipated threats or hazards to the security of such data; and (3) to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual." The law also describes specific notification requirements if we experience a breach of sensitive personal information.
- The penalties that could be imposed on those found in violation of the law are up to $11,000 per effected indivual or $11,000,000 in aggregate for all individuals effected by a a single violation.
State Security Breach Notification Laws
Currently, 39 States have notification laws to which Amherst College would be subject should a security breach involve sensitive personal information of a resident of a given State. "Sensitive personal information" is not defined in exactly the same way by each State. For the purpose of this plan, I recommend that we address only the requirements, etc. of the Federal law.