• About Us
• Services
• Labs & Facilities
• Help & Instruction
• Policies, Procedures & Standards
• Search
  CCC site only
  All WPI IT sites
  
• CCC Home
• Quick Links
  • Helpdesk
  • Software Instruction
  • Network Operations
  • Telecommunications
  • Web Information System

Federal and State Legislation

Information about federal and state legislation is provided by a number of generally accepted sources. Several, but not all, of those sources are identified below. Since legislation is constantly changing, any or all of these sites may be out of date at any given time. These sites are maintained by the sponsoring organization, not WPI.

Databases

• The Federal Laws and Regulations (Center for Regulatory Effectiveness) developed FedLaw to see if legal resources on the Internet could be a useful and cost-effective research tool for Federal lawyers and other Federal employees. It provides Federal laws, regulations, and executive orders arranged by an easy subject approach.
• The THOMAS site is the portion of the Library of Congress providing federal legislative information.
• The Cornell Law Library provides a search capability by categories for federal and state legislation.
• Zimmerman's Online Encyclopedia for Legal Researchers provides an extensive list of topics directly or indirectly related to legal research from actors and bill jackets to military records and trade secrets.
• General Laws of Massachusetts.

Prominent data security legal acts related to education

The list below identifies some of the prominent federal and state legal acts governing information security.

A. Intellectual property protection acts

1. Copyright Act; Fair Use
   http://www.copyright.gov/,http://www.copyright.gov/fls/fl102.html
2. Digital Millennium Copyright Act (DMCA)
   http://www.copyright.gov/legislation/dmca.pdf
3. Technology, Education and Copyright Harmonization Act (TEACH)
   http://edworkforce.house.gov/issues/108th/education/highereducation/2211billsummary.htm

B. Privacy and disclosure acts

1. Federal Family Educational Rights & Privacy Act (FERPA)
   http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
2. Gramm-Leach Bliley Act (GLBA)
   http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
   
   

   The 1999 Financial Services Modernization Act, Gramm-Leach-Bliley (GLB), Privacy Rule - 15 U.S. Code sections 6801-6809 permits the consolidation of financial services companies and requires financial institutions to issue privacy notices to their customers, giving them the opportunity to opt-out of some sharing of personally identifiable financial information with outside companies.

   Gramm-Leach-Bliley Act protects banking information. This includes student financial aid records, but not student accounts.¹

3. USA PATRIOT Act
   http://www.lifeandliberty.gov/index.html
4. Health Insurance Portability and Accountability Act (HIPAA)
   http://www.hhs.gov/ocr/hipaa/
   
   

   Health Insurance Portability and Accountability Act (HIPAA) safeguards personally identifiable health information of individuals. Life with HIPAA, A Primer for Higher Educations provides an overview, at http://www.educause.edu/ir/library/pdf/ERB0307.pdf. "Health Insurance Portability and Accountability Act of 1996 (HIPAA) - 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic Protected Health Information. HIPAA includes provisions designed to save money for health care businesses by encouraging electronic transactions and also regulations to protect the security and confidentiality of patient information. The privacy rule took effect on April 14, 2001, with most covered entities (health plans, health care clearinghouse and health care providers who conduct certain financial and administrative transactions electronically) having until April 2003 to comply." The security rule took effect on April 21, 2003. For more information, see the Web site of the federal Office of Civil Rights http://www.hhs.gov/ocr/hipaa/."

5. The Personal Data Privacy and Security Act is federal legislation, passed in November 2005, that protects personally identifiable information like Social Security, bank routing, or credit card number. It requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.
6. Individual state acts
   
   

   Several states implemented privacy legal acts. WPI constitutes who reside in those states may be covered by those acts. California has been a leading example. This list below is a sampling of those acts.

   WPI maintains data on students and employees who may be California residents. If information is inappropriately disclosed about California residents, a California law may apply to the situation.

   • State of California Constitution Article 1
     http://www.leginfo.ca.gov/.const/.article_1
   • State of California Government Code, Section 6254 (j) (This State law pertains to the confidentiality of library circulation records)
     http://caselaw.lp.findlaw.com/cacodes/gov/6250-6270.html
   • State of California Government Code, Section 11015.5 (This State law pertains to the confidentiality of electronically collected personal information)
     http://caselaw.lp.findlaw.com/cacodes/gov/11000-11019.9.html
   • State of California Information Practices Act of 1977 (Civil Code Section 1798 et seq.)
     http://www.leginfo.ca.gov/cgi-bin/waisgate?WAISdocID=717345478+0+0+0&WAISaction=retrieve
   • The California Information Practices Act of 1977 established certain requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual.
     http://caselaw.lp.findlaw.com/cacodes/civ/1798-1798.1.html
   • State of California Public Records Act (Gov. Code Section 6250 et seq.)
     http://www.thefirstamendment.org/pratxt.html
   
   
   

   The California Public Records Act declares that access to information concerning the conduct of the people's business is a fundamental and necessary right of every person in the State, that public records are open to inspection at all times during regular office hours, and are subject to inspection and copying by every person except as provided in the Act.

   6254 (j) 8. Library circulation records kept for the purpose of identifying the borrower of items available in libraries, and library and museum materials made or acquired and presented solely for reference or exhibition purposes. This exemption does not apply to records of fines imposed on the borrowers.

   The California Office of Privacy Protection provides a website,
   http://www.privacy.ca.gov/lawenforcement/laws.htm#twelve

C. Network and computer access and abuse

1. Computer Fraud and Abuse Act
   http://cio.doe.gov/Documents/CFA.HTM
   http://www.state.gov/misc/415.htm; http://www.usdoj.gov/criminal/cybercrime/1030_new.html



Computer Fraud and Abuse Act of 1984 - 18 U.S. Code section 1030 makes unauthorized access to "protected computers" illegal. Protected computers include U.S. government computers, computers used in interstate commerce and computers used by financial institutions. It also prohibits trafficking in computer passwords and damaging a protected computer.

2. Electronic Communications Privacy Act
   http://cio.doe.gov/Documents/ECPA.HTM; http://www.alw.nih.gov/Security/FIRST/papers/legal/ecpa.txt
   
   

   Electronic Communications Privacy Act of 1986 - 18 U.S. Code sections 2510-2522, 2701-2711, 3121, 1367. This law amends the federal wiretap law to cover specific types of electronic communications, such as e-mail, radio-paging devices, cell phones, private communications carriers, and computer transmissions. It also extends the ban on interception to the communications of wire or electronic communication services and sets restrictions on access to stored wire and electronic communications and transaction records.

3. Communications Assistance for Law Enforcement Act (CALEA)
   
   • Aug. 5, 2005, The FCC adopted a final order providing that certain wireline broadband and interconnected Voice over Internet Protocol (VoIP) services be prepared to accommodate law enforcement wiretaps pursuant to the CALEA (as a hybrid between traditional telecommunications carriers and information services).
   • Privacy groups challenged the commission's ruling in court.
   • June 9, 2006, The U.S. Court of Appeals for the D.C. Circuit ruled that the expansion of a federal law enforcement telecommunications wiretapping law to certain broadband Internet service and VoIP providers is legal (American Council on Educ. v. FCC, D.C. Cir., No. 05-1404, petition denied 6/9/06
4. Massachusetts Computer Crime Law
   

   In 1995, the Massachusetts legislature enacted legislation designed to punish and help deter several forms of computer crime. Up until the passage of this legislation, it was a crime to completely remove data from a computer system without authorization - damaging data left on a system and "snooping" in systems were not prohibited.

   The new law changed this. Specifically, this legislation:

   • Prohibits unauthorized access to any computer system, either directly or by network or telephone. The law provides that the use of password authorization systems to control access to a computer system puts people on notice that their access is unauthorized if they don't have a legitimate password.
   • Amends the criminal vandalism statute to make it clear that electronically stored or processed data is "property", the destruction or corruption of which is illegal.

   Up until the passage of this legislation, it was a crime to completely remove data from a computer system without authorization - damaging data left on a system and "snooping" in systems were not prohibited.

   • Prohibits the theft of commercial computer service.

   The law also made two improvements to Massachusetts procedural law allowing easier prosecution of computer related offenses with less disruption to legitimate business. Previously, businesses whose systems had been violated were deterred from actively prosecuting the offense because they might be faced with prosecutors having to seize originals of their computer and data files. The updated computer crime law makes electronic copies of these files admissible, thus allowing a business to maintain use of its systems for ongoing operations. It also provides that computer crime may be prosecuted and punished either in the county where the perpetrator was physically located at the time he or she committed the crime, or in the county where the computer system and data that was accessed or corrupted was located at the time of the violation. This means, for example, that a hacker accessing a Massachusetts based business's computers in Massachusetts from another state would be susceptible to prosecution in Massachusetts.

   This law is referenced on WPI's Acceptable Use Policy (AUP) webpage, http://www.wpi.edu/Pubs/Policies/AUP/

   Computer crime is specified in the General Laws of the Commonwealth of Massachusetts, http://www.mass.gov/legis/laws/mgl/index.htm.

5. Massachusetts Security Breach Notification Act
   

   This is an Act Relative to Security Freezes and Notification of Data Breaches. It requires businesses and government agencies to notify state residents if personal information is breached. The effective date is February 3, 2008. It requires notification of breaches of unencrypted personal information in either electronic or paper form. Personal information is defined as an individual's first name or initial and last name in combination with their SS#, driver's license or state identification card number or financial account information along with password or access information. The law is provide by The 185th General Court of the Commonwealth of Massachusetts on http://www.mass.gov/legis/laws/seslaw07/sl070082.htm.

6. Changes to the Federal Rules for Civil Procedures relative to information security and access.

Other references

• California Privacy Legislation and Policy
  http://libraries.universityofcalifornia.edu/sopag/privacytf/leg_pol.html

Proposed legal acts

The charge also included keeping pace with related, new and changing legal acts. These include:

1. Proposed federal legislation, Leahy-Specter 2007, Personal Data Privacy and Security Act of 2007

Payment Card Industry Standard

In response to growing concerns about information security, the major credit card companies established industry standards to better protect card information. Although the Payment Card Industry (PCI) Data Security Standard (DSS) is not a legal act, a breach of compliance could result in significant adverse repercussions, such as exposure of payment card information, loss of financial institution connections to process payment cards, adverse publicity, and loss of consumer trust. Therefore, WPI has a Payment Card Policy.

"The Payment Card Industry Standard (PCI) standards and regulations went into effect June 1, 2005, requiring any institution that handles credit card transactions to take very specific measures to safeguard credit card data. Any leaking of credit card information from a university site can have dramatic impacts, up to and including termination of all card processing abilities by the banking industry at the university and financial liability for any fraudulent charges to stolen cards for 18 months."²

PCIDSS was created primarily to address electronic information, but the standard also applies to other media, such as paper, telephone, and email. PCIDSS applies to all merchants that store, process, or transmit credit card information regardless of the volume or transaction amount.

Revision History

• The Information Technology Division endorsed this page on January 22, 2008.
• The Faculty Committee on IT Policy endorsed this page on February 19, 2008.

¹ - EDUCAUSE ECAR, p.6
² - EDUCAUSE ECAR publication, Campus IT Security: Governance, Strategy, Policy, and Enforcement

Maintained by itweb
Last modified: May 13, 2008, 17:15 UTC

Computing and Communications Center - Worcester Polytechnic Institute
100 Institute Road, Worcester, MA 01609-2280
Phone: +1-508-831-5136 - Fax: +1-508-831-5483 - itweb