Educause Security Discussion
mailing list archives
Re: Federal laws applicable to Universities
From: "Long, H Morrow" <morrow.long () YALE EDU>
Date: Thu, 7 Nov 2013 22:34:05 +0000
My recommendation is that you always consult your own legal counsel regarding what compliance laws and regulations your
institution is affected by and must comply with -- but you can always suggest that you think that they should look into
certain areas of law and compliance that may not be front-burner issues for them.
Not Federal laws applicable to Universities but one area you can poke them on (and once poked it may become somewhat of
a head ache to them...) is the topic of individual US state (as well as US Territory and even international)
legislation -- particularly privacy law. If you have a physical location in a US state other than your main location
you are likely to be subject to the laws of that state as well -- ask your attorneys.
A more contentious and controversial issue is just how subject to the laws of another US state is your institution if
you have students from that state (e.g. California or Massachusetts) or even from a European Union (E.U.) country.
Many of the individual 50 US states have their own privacy laws and/or regulations -- primarily for the protection of
personal identity (and sometimes also financial) information (AKA PII and PFI).
For example, the state of Connecticut's Privacy Law (SB 5658) considers a number of numeric and non-numeric identifiers
as PII to be protected (SSN, Driver's License # and several others).
California's Breach Notification Law (SB 1386) and Massachusetts (MA 201 CMR 17) laws are comprehensive models for many
other US state laws and regulations.
The following is from 2010 so it is likely to be a bit out of date:
I did a Google search on "Puerto Rico Privacy Law" and pulled up a number of references...
On Nov 7, 2013, at 3:43 PM, Francisco Pérez wrote:
I know that FERPA, HIPAA( if healthcare data) and maybe PCI are applicable to Universities on the US. But there is any
other federal laws applicable or that Universities need to comply with?. Just working on fundamental laws for IT
Compliance on Universities.
Will appreciate your comments.
Information System Office
UPR-Medical Sciences Campus
francisco.perez12 () upr edu<mailto:francisco.perez12 () upr edu>
Confidentiality Notice: Any use, review, distribution or copying of this communication by anyone other than the named
recipient(s) is strictly prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by
error and delete this e-mail from your system.
Please print this email only when necessary.