Federal and state laws and regulations require the university to apply certain security safeguards around various categories of sensitive institutional data or information. Industry standards, such as those that apply to credit card payments, create additional requirements.
To satisfactorily comply with these regulatory requirements, U-M must put in place and maintain reasonable and appropriate information security safeguards based on the results of periodic risk assessments. The university establishes expectations for regulatory compliance to be carried out by all units as an important part of their IT security activities.
Every individual working at U-M must share the responsibility for ensuring that U-M is complying with laws and regulations.
Staff who handle sensitive university data should use the Sensitive Data Guide to make informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. In addition, persons traveling internationally should refer to Travel Safely With Technology. This will help ensure U-M remains in compliance with federal and state regulatory requirements. All legal and regulatory compliance requirements apply, whether a staff member is using a U-M owned or managed computer or a personally owned device to access or store U-M sensitive regulated data.
Lack of compliance with regulatory requirements that results from mishandling sensitive data can lead to significant consequences for U-M. Responding to data breaches or disclosures of data, whether inadvertent or not, can be very time consuming and expensive, and may include the expectation that U-M notify potentially affected individuals whose personal data is exposed.
See Protect Sensitive Data for more ways to help protect U-M's data.
Applicable University Policies
You are responsible for complying with the policies and standards below.
- Information Technology Policies at U-M
- Sensitive Regulated Data: Permitted and Restricted Uses (DS-06)
- Information Security Policy (SPG 601.27)
- Institutional Data Resource Management Policy (SPG 601.12)
- Privacy and the Need to Monitor and Access Records (SPG 601.11)
- Information Security Incident Reporting (SPG 601.25)
- eDiscovery at the University of Michigan (DM-08) (PDF)