Information Security Laws and Regulations

Following are the laws and regulations that govern use of various data types. The data types are organized according to the university's four sensitive data classification levels: Restricted, High, Moderate, and Low.

Laws and Regulations Organized by Sensitive Data Level

Expand All Content

Restricted

Export Controlled Information (ITAR/EAR)

Export controlled research falls under International Traffic in Arms Regulation (ITAR), and Export Administration Regulations (EAR), which includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation.

Sensitive Data Guide Listing

Data Field Examples

  • Nuclear Physics
  • Scientific satellite information
  • Military electronics
  • Chemical and biological agents
  • Certain software or technical data sent to foreign persons
  • Work on new formulae for explosives

Non-U.S. citizens are not allowed to work on this type of project, and this kind of data cannot be stored on systems outside the United States.

Data Steward

Export Controls Compliance
Office of the Vice President for Research: exportcontrols@umich.edu

Resources

Federal Information Security Management Act (FISMA)

FISMA requires federal agencies and those providing services on their behalf to develop, document and implement security programs for IT systems and store the data on U.S. soil. FISMA applies generally to federal "contracts" as opposed to grants.

Sensitive Data Guide Listing

Data Field Examples

Data exchanged with government systems, or data provided by the government, particularly data exchanged or provided under contract, may be subject to FISMA compliance regulations.

Resources

Credit Card Information (PCI)

Information defined by the Payment Card Industry Data Security Standards, or PCI DSS. University of Michigan Treasurer's Office specifically states: "Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives." If transaction records are needed, use only the last 4 digits of the number of the card.

Sensitive Data Guide Listing

Data Field Examples

  • Cardholder name
  • Account number
  • Expiration date
  • Verification number
  • Security code

Data Steward

University Treasurer: treasury@umich.edu

Resources

High

Electronic Protected Health Information (ePHI) or HIPAA

The Privacy and Security Rules apply only to covered entities in their role as a Health Care Provider, Health Plan, or Health Care Clearinghouse. Protected health information excludes individually identifiable health information in:

  • Education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g(a)(4)(B)(iv)
  • Employment records held by a covered entity in its role as an employer

ePHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA).

Sensitive Data Guide Listing

Data Field Examples

The following individually identifiable data elements, when combined with health information about that individual, make such information protected health information (PHI):

  • Names
  • URLs
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/License numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • All geographic subdivisions smaller than a State
  • IP addresses
  • Biometric identifiers
  • Full face photographic images and any comparable images
  • All elements of dates (except year) for dates directly related to an individual including birth date, admission date, discharge date, date of death
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

Data Steward

Health System Compliance Officer: compliance-Group@med.umich.edu

Resources

Sensitive Identifiable Human Subject Research

A human subject is a living individual about whom an investigator (whether professional or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained.

Sensitive Human Subject Research is Federal Policy for the Protection of Human Subjects ('Common Rule') and is as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation."

Sensitive Data Guide Listing

Data Field Examples

Individually-identifiable research data containing sensitive information about human subjects, such as information about:

  • illegal behaviors
  • drug or alcohol abuse
  • sexual behavior
  • mental health
  • other sensitive health or genetic information

Any data collected under an NIH Certificate of Confidentiality is considered to be sensitive.

Data Steward

Human Research Protection Program (HRPP): hrrpumich@umich.edu

Resources

Social Security Numbers

The SSN is a primary target for identity thieves, and falls into the category of sensitive private protected information (PPI). For record keeping purposes, use only the last 4 digits of the social security number.

Michigan Identity Theft Protection Act, MCL 445.63 (applies to additional personal private information)

Data Field Examples

  • 123-45-6789

Resources

Student Loan Information (GLBA)

GLBA, Gramm-Leach-Bliley Act, includes provisions to protect consumers personal financial information held by financial institutions and higher education organizations.

Sensitive Data Guide Listing

Data Field Examples

  • Loan information
  • Student financial aid data
  • Payment History

Departments that run their own student financial aid programs may need to be concerned about GLBA.

Data Steward

Executive Director and University Registrar: RO.Compliance@umich.edu

Resources

Moderate

Student Educational Records (FERPA)

FERPA, Family Educational Rights and Privacy Act, records are records that contain information directly related to a student and which are maintained by an educational agency or institution.

Sensitive Data Guide Listing

Data Field Examples

  • Grades
  • Student Transcripts
  • Degree Information
  • Class Schedule
  • Advising and Disciplinary Records

Data Steward

Executive Director and University Registrar: RO.Compliance@umich.edu

Resources

Red Flag Rules

Red Flag Rules require businesses that loan customers money, accept payments, or use credit reports to have methods in place to detect and prevent identity theft.

Sensitive Data Guide Listing

Data Field Examples

  • A fraud or active duty alert is included with a consumer report.
  • Documents provided for identification appear to have been altered or forged.
  • Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor.
  • The SSN provided is the same as that submitted by other persons opening an account or other customers.
  • Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.

Data Steward

Student Financial Services: um-sfo@umich.edu

Resources

Low

There are no laws or regulations regarding this level of data.