Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Federal laws applicable to Universities
From: "Long, H Morrow" <morrow.long () YALE EDU>
Date: Thu, 7 Nov 2013 22:34:05 +0000

My recommendation is that you always consult your own legal counsel regarding what compliance laws and regulations your 
institution is affected by and must comply with -- but you can always suggest that you think that they should look into 
certain areas of law and compliance that may not be front-burner issues for them.

Not Federal laws applicable to Universities but one area you can poke them on (and once poked it may become somewhat of 
a head ache to them...) is the topic of individual US state (as well as US Territory and even international) 
legislation -- particularly privacy law.  If you have a physical location in a US state other than your main location 
you are likely to be subject to the laws of that state as well -- ask your attorneys.

A more contentious and controversial issue is just how subject to the laws of another US state is your institution if 
you have students from that state (e.g. California or Massachusetts) or even from a European Union (E.U.) country.

Many of the individual 50 US states have their own privacy laws and/or regulations -- primarily for the protection of 
personal identity (and sometimes also financial) information (AKA PII and PFI).

For example, the state of Connecticut's Privacy Law (SB 5658) considers a number of numeric and non-numeric identifiers 
as PII to be protected (SSN, Driver's License # and several others).

California's Breach Notification Law (SB 1386) and Massachusetts (MA 201 CMR 17) laws are comprehensive models for many 
other US state laws and regulations.

The following is from 2010 so it is likely to be a bit out of date:

http://www.ps-snug.org/presentations/2010_Fall/Managing%20compliance-state-Privacy-Laws%20-%20Mentis.pdf

I did a Google search on "Puerto Rico Privacy Law" and pulled up a number of references...

- Morrow


On Nov 7, 2013, at 3:43 PM, Francisco Pérez wrote:

I know that FERPA, HIPAA( if healthcare data) and maybe PCI are applicable to Universities on the US. But there is any 
other federal laws applicable or that Universities need to comply with?. Just working on fundamental laws for IT 
Compliance on Universities.

Will appreciate your comments.

--
Francisco Pérez
Information System Office
UPR-Medical Sciences Campus
francisco.perez12 () upr edu<mailto:francisco.perez12 () upr edu>
www.rcm.upr.edu<http://www.rcm.upr.edu/>

Confidentiality Notice: Any use, review, distribution or copying of this communication by anyone other than the named 
recipient(s) is strictly prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by 
error and delete this e-mail from your system.

Please print this email only when necessary.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]