Information Technology Division
Computing & Communications Center

Federal and State Legislation

Information about federal and state legislation is provided by a number of generally accepted sources. Several, but not all, of those sources are identified below. Since legislation is constantly changing, any or all of these sites may be out of date at any given time. These sites are maintained by the sponsoring organization, not WPI.

Databases

Prominent data security legal acts related to education

The list below identifies some of the prominent federal and state legal acts governing information security.

A. Intellectual property protection acts

  1. Copyright Act; Fair Use
    http://www.copyright.gov/,http://www.copyright.gov/fls/fl102.html
  2. Digital Millennium Copyright Act (DMCA)
    http://www.copyright.gov/legislation/dmca.pdf
  3. Technology, Education and Copyright Harmonization Act (TEACH)
    http://edworkforce.house.gov/issues/108th/education/highereducation/2211billsummary.htm

B. Privacy and disclosure acts

  1. Federal Family Educational Rights & Privacy Act (FERPA)
    http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
  2. Gramm-Leach Bliley Act (GLBA)
    http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

    The 1999 Financial Services Modernization Act, Gramm-Leach-Bliley (GLB), Privacy Rule - 15 U.S. Code sections 6801-6809 permits the consolidation of financial services companies and requires financial institutions to issue privacy notices to their customers, giving them the opportunity to opt-out of some sharing of personally identifiable financial information with outside companies.

    Gramm-Leach-Bliley Act protects banking information. This includes student financial aid records, but not student accounts.1

  3. USA PATRIOT Act
    http://www.lifeandliberty.gov/index.html
  4. Health Insurance Portability and Accountability Act (HIPAA)
    http://www.hhs.gov/ocr/hipaa/

    Health Insurance Portability and Accountability Act (HIPAA) safeguards personally identifiable health information of individuals. Life with HIPAA, A Primer for Higher Educations provides an overview, at http://www.educause.edu/ir/library/pdf/ERB0307.pdf. "Health Insurance Portability and Accountability Act of 1996 (HIPAA) - 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic Protected Health Information. HIPAA includes provisions designed to save money for health care businesses by encouraging electronic transactions and also regulations to protect the security and confidentiality of patient information. The privacy rule took effect on April 14, 2001, with most covered entities (health plans, health care clearinghouse and health care providers who conduct certain financial and administrative transactions electronically) having until April 2003 to comply." The security rule took effect on April 21, 2003. For more information, see the Web site of the federal Office of Civil Rights http://www.hhs.gov/ocr/hipaa/."

  5. The Personal Data Privacy and Security Act is federal legislation, passed in November 2005, that protects personally identifiable information like Social Security, bank routing, or credit card number. It requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.
  6. Individual state acts

    Several states implemented privacy legal acts. WPI constitutes who reside in those states may be covered by those acts. California has been a leading example. This list below is a sampling of those acts.

    WPI maintains data on students and employees who may be California residents. If information is inappropriately disclosed about California residents, a California law may apply to the situation.

C. Network and computer access and abuse

  1. Computer Fraud and Abuse Act
    http://cio.doe.gov/Documents/CFA.HTM
    http://www.state.gov/misc/415.htm; http://www.usdoj.gov/criminal/cybercrime/1030_new.html

  2. Computer Fraud and Abuse Act of 1984 - 18 U.S. Code section 1030 makes unauthorized access to "protected computers" illegal. Protected computers include U.S. government computers, computers used in interstate commerce and computers used by financial institutions. It also prohibits trafficking in computer passwords and damaging a protected computer.

  3. Electronic Communications Privacy Act
    http://cio.doe.gov/Documents/ECPA.HTM; http://www.alw.nih.gov/Security/FIRST/papers/legal/ecpa.txt

    Electronic Communications Privacy Act of 1986 - 18 U.S. Code sections 2510-2522, 2701-2711, 3121, 1367. This law amends the federal wiretap law to cover specific types of electronic communications, such as e-mail, radio-paging devices, cell phones, private communications carriers, and computer transmissions. It also extends the ban on interception to the communications of wire or electronic communication services and sets restrictions on access to stored wire and electronic communications and transaction records.

  4. Communications Assistance for Law Enforcement Act (CALEA)
    • Aug. 5, 2005, The FCC adopted a final order providing that certain wireline broadband and interconnected Voice over Internet Protocol (VoIP) services be prepared to accommodate law enforcement wiretaps pursuant to the CALEA (as a hybrid between traditional telecommunications carriers and information services).
    • Privacy groups challenged the commission's ruling in court.
    • June 9, 2006, The U.S. Court of Appeals for the D.C. Circuit ruled that the expansion of a federal law enforcement telecommunications wiretapping law to certain broadband Internet service and VoIP providers is legal (American Council on Educ. v. FCC, D.C. Cir., No. 05-1404, petition denied 6/9/06
  5. Massachusetts Computer Crime Law

    In 1995, the Massachusetts legislature enacted legislation designed to punish and help deter several forms of computer crime. Up until the passage of this legislation, it was a crime to completely remove data from a computer system without authorization - damaging data left on a system and "snooping" in systems were not prohibited.

    The new law changed this. Specifically, this legislation:

    • Prohibits unauthorized access to any computer system, either directly or by network or telephone. The law provides that the use of password authorization systems to control access to a computer system puts people on notice that their access is unauthorized if they don't have a legitimate password.
    • Amends the criminal vandalism statute to make it clear that electronically stored or processed data is "property", the destruction or corruption of which is illegal.

    Up until the passage of this legislation, it was a crime to completely remove data from a computer system without authorization - damaging data left on a system and "snooping" in systems were not prohibited.

    • Prohibits the theft of commercial computer service.

    The law also made two improvements to Massachusetts procedural law allowing easier prosecution of computer related offenses with less disruption to legitimate business. Previously, businesses whose systems had been violated were deterred from actively prosecuting the offense because they might be faced with prosecutors having to seize originals of their computer and data files. The updated computer crime law makes electronic copies of these files admissible, thus allowing a business to maintain use of its systems for ongoing operations. It also provides that computer crime may be prosecuted and punished either in the county where the perpetrator was physically located at the time he or she committed the crime, or in the county where the computer system and data that was accessed or corrupted was located at the time of the violation. This means, for example, that a hacker accessing a Massachusetts based business's computers in Massachusetts from another state would be susceptible to prosecution in Massachusetts.

    This law is referenced on WPI's Acceptable Use Policy (AUP) webpage, http://www.wpi.edu/Pubs/Policies/AUP/

    Computer crime is specified in the General Laws of the Commonwealth of Massachusetts, http://www.mass.gov/legis/laws/mgl/index.htm.

  6. Massachusetts Security Breach Notification Act

    This is an Act Relative to Security Freezes and Notification of Data Breaches. It requires businesses and government agencies to notify state residents if personal information is breached. The effective date is February 3, 2008. It requires notification of breaches of unencrypted personal information in either electronic or paper form. Personal information is defined as an individual's first name or initial and last name in combination with their SS#, driver's license or state identification card number or financial account information along with password or access information. The law is provide by The 185th General Court of the Commonwealth of Massachusetts on http://www.mass.gov/legis/laws/seslaw07/sl070082.htm.

  7. Changes to the Federal Rules for Civil Procedures relative to information security and access.

Other references

Proposed legal acts

The charge also included keeping pace with related, new and changing legal acts. These include:

  1. Proposed federal legislation, Leahy-Specter 2007, Personal Data Privacy and Security Act of 2007

Payment Card Industry Standard

In response to growing concerns about information security, the major credit card companies established industry standards to better protect card information. Although the Payment Card Industry (PCI) Data Security Standard (DSS) is not a legal act, a breach of compliance could result in significant adverse repercussions, such as exposure of payment card information, loss of financial institution connections to process payment cards, adverse publicity, and loss of consumer trust. Therefore, WPI has a Payment Card Policy.

"The Payment Card Industry Standard (PCI) standards and regulations went into effect June 1, 2005, requiring any institution that handles credit card transactions to take very specific measures to safeguard credit card data. Any leaking of credit card information from a university site can have dramatic impacts, up to and including termination of all card processing abilities by the banking industry at the university and financial liability for any fraudulent charges to stolen cards for 18 months."2

PCIDSS was created primarily to address electronic information, but the standard also applies to other media, such as paper, telephone, and email. PCIDSS applies to all merchants that store, process, or transmit credit card information regardless of the volume or transaction amount.


Revision History


1 - EDUCAUSE ECAR, p.6
2 - EDUCAUSE ECAR publication, Campus IT Security: Governance, Strategy, Policy, and Enforcement

Maintained by itweb
Last modified: May 13, 2008, 17:15 UTC
[WPI] [CCC] [Top]