There are several laws and regulations created to protect the confidentiality, integrity, and availability of different types of University sensitive information. Many University policies have been implemented to ensure compliance with the following regulations.
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student academic records and allows the student to determine what information should be confidential, and who should have access to that information. FERPA policy enforcement is handled by the Office of the Registrar.
The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of individually identifiable health information. HIPAA has two parts; the Privacy Rule determines what data is considered protected health information and who may have access to it. The Security Rule focuses on ensuring that only those who are authorized actually do have access.
The Health Information Technology for Economic and Clinical Health (HITECH) Act imposes new federal security breach notice requirements and adds numerous new privacy and data security restrictions for covered entities and their business associates under HIPAA.
The Gramm Leach Bliley Act (GLBA) requires Michigan Tech to safeguard nonpublic customer data, limit disclosures of such data, and notify customers of their information sharing practices and privacy policies The act states, among other things, that the University must develop, implement and maintain a written comprehensive information security program to achieve the security and confidentiality of customer data, to protect against anticipated threats or hazards, and to protect against unauthorized access or use that could result in substantial harm.
The Red Flags Rule (RFR) requires Michigan Tech to implement a written Identity Theft Prevention Program designed to detect the warning signs or "red flags" of identity theft in the University’s day-to-day operations.
The Payment Credit Industry Data Security Standards defines protected customer financial information, and establishes security best practices to safeguard that information. Expensive fines may result from mishandling of financial data, as well as potential revocation of credit card processing services. While not a law, compliance with the PCI Data Security Standard is required to accept major credit cards for business transactions on campus.