Home Information for UM Faculty and Staff Laws and Regulations Related to Handling Sensitive Protected Data

Laws and Regulations Related to Handling Sensitive Protected Data

Federal and state laws and regulations require the University to apply certain security safeguards around various categories of sensitive institutional data or information. Industry standards, such as those that apply to credit card payments, create additional requirements.

To satisfactorily comply with these regulatory requirements, U-M must put in place and maintain reasonable and appropriate information security safeguards based on the results of periodic risk assessments. The U-M IT Security Program sets expectations for regulatory compliance to be carried out by all units as an important part of their IT security activities.

Regardless of how widely a law applies or how well known it is, every law that impacts on the activities of individuals at U-M raises obligations that U-M, as an institution, is responsible for. This means that every individual working at U-M needs to take responsibility for ensuring that U-M is complying with laws and regulations.

Lack of compliance with regulatory requirements that results from mishandling sensitive data can lead to significant consequences for U-M. Responding to data breaches or disclosures of data, whether inadvertent or not, can be very time consuming and expensive, and may include the expectation that U-M notify potentially affected individuals whose personal data is exposed.