Searching...

Information Technology Compliance

Stop Hacks and Improve Electronic Data Security (SHIELD) Act of New York

Effective March 21, 2020, the NY SHIELD Act aims to protect the private information of consumers and place accountability on organizations that do not demonstrate adherence to the Act.

Compliance with NY Shield includes the provision of a Cyber Awareness Training Program. “A covered business will be deemed to be in compliance with the SHIELD Act’s data security requirement if the business implements a data security program that includes reasonable administrative, technical and physical safeguards”

NY SHIELD Resources

Family Educational Rights and Privacy Act (FERPA)

FERPA outlines what rights the student has to his/her education records.  It also outlines when education records can be disclosed and to whom.

  • Examples of FERPA protected data include:
  • Grades, transcripts, and degree information
  • Class schedule
  • Student’s information file (including demographic information)

Faculty and staff handling this data need to complete required certification and annual renewal training.

FERPA Resources
  1. U.S. Department of Education FERPA resource:  https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
  2. Sample training modules: https://studentprivacy.ed.gov/content/online-training-modules
  3. Exemplary Institutional Documentation (Michigan Tech): https://www.mtu.edu/registrar/faculty-staff/ferpa/

Gramm-Leach Bliley Act (GLBA)

GLBA was enacted by the Federal Trade Commission. Also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The intent of GLBA is to protect personally identifiable information (PII) in situations where a consumer has provided information with intent to receive a service.

Examples of financial services in higher ed include:

  • Student loans
  • Information on delinquent loans
  • Check cashing services

Faculty and staff handling this covered data need to complete required certification and annual training on information security.

GLBA Resources

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA requires that the university must preserve the privacy and confidentiality of protected health information.

Examples of protected health information are:

  • Past, present, or future physical or mental health condition
  • Provision of health care
  • Past, present, or future payment for health care that identifies an individual (i.e. name, address, SSN, birth date)

Annual training on HIPAA practices should be required by departments that have access to health-related information.

HIPAA Breach Notification

On September 23, 2013, the HIPAA Omnibus Rule took effect modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules and implementing various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This rule provides for the notification of individuals following a breach of their unsecured protected health information.

HIPAA Resources

Payment Card Industry-Data Security Standard (v 3.0) (PCI-DSS)

PCI-DSS governs the necessary security infrastructure related to payment card transactions. For higher education, four specific items have greater importance in the 3.0 standards

  • Expanded penetration testing expectations
  • Protect devices that capture card data from physical tampering
  • Key management and anti-virus updates
  • Logging requirements

The PCI-DSS standards encourages institutions to increase security awareness, pointing out:

  • Need for education
  • Need to make compliance a normal practice
  • Making security a shared responsibility
PCI-DSS Resource

Data Breach Notification- State of New York Law

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. The New York State Information Security Breach and Notification Act provides guidance on the timeline for breach notifications as well as clear definitions of Private and Personal Information.

New York Disclosure Notifications

The disclosure must be made in “the most expedient time possible without unreasonable delay”, consistent with the legitimate needs of law enforcement. The notification may be delayed if a law enforcement agency determines that such notification may impede a criminal investigation. The notification should be made after the law enforcement agency determines that such notification will not compromise the investigation.

New York Definitions: Private Information

“Private Information” is defined as “personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired; 1) social security number; 2) driver’s license number or non-driver identification number; or 3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Private Information does not include publicly available information which is lawfully made available to the general public from federal, state or local government records.

New York Definitions: Personal Information

Personal Information means “any information concerning a natural person which, because of name, number, personal mark, or other identifier can be used to identify such natural person.”

Data Breach Resource

Was this article helpful?

Yes No

Related Articles