Information Security Laws and Regulations

You and the university must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. In some cases, there are additional requirements based on the U-M data classification level of the data you are working with (see the Sensitive Data Guide).

Controlled Unclassified Information (CUI)

Data Classification Level:
High

Controlled Unclassified Information (CUI) is federal non-classified information that requires safeguarding compliant with the security controls delineated in NIST SP 800-171r2  or NSIT SP 800-53 R5 depending on specific contractual terms. The CUI program is a government-wide approach to creating a uniform set of requirements and information security controls directed at securing sensitive government information. The NIST document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. CUI requirements apply to U-M researchers when they are given access to CUI information under the terms of a FAR or DFARS contract or other agreement.

Federal Acquisition Regulations (FAR) Basic Safeguarding (52.204-21) and
Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7020)

The principal purpose of federal contracts awarded to U-M is to provide services or conduct research for the direct benefit or use of the U.S. government. Federal contracts are awarded under the federal government’s procurement process and are governed by a strict set of terms and conditions, including information security requirements in FARS and DFARS (contracts with the Department of Defense). The level of stringency of Information security and data protection controls depends on the specific category and subcategory of the controlled unclassified information (CUI) as identified in the CUI Registry and as required under FAR and DFAR clauses in contracts. FAR and DFAR clauses do not generally apply to federal grants.

U-M Resources

Data Steward

U-M Office of Research (UMOR) Research Information Oversight Program: [email protected]

Digital Millennium Copyright Act (DMCA) and Higher Education Opportunity Act (HEOA)

Data Classification Level:
Low

The Digital Millennium Copyright Act of 1998 (DMCA) and the Higher Education Opportunity Act (HEOA) of 2008 require that U-M manage a digital copyright compliance program that consists of four components:

  1. Annual disclosure/education and awareness
  2. A strategy for effectively combating the distribution of unauthorized copyrighted materials
  3. Provision of alternative sources for authorized copies of copyrighted materials
  4. Strategic plan review

U-M Resources

Data Examples

The following data and activities are subject to digital copyright compliance regulations:

  • Third-party content shared through social media sites, such as YouTube, or peer-to-peer (P2P) file sharing technology, such as BitTorrent
  • Making copies of copyrighted works available or acquiring unauthorized copies of copyrighted works

Data Steward

DMCA Agent for the University of Michigan: [email protected]

Export Control (ITAR/EAR/OFAC)

Data Classification Level:
High

Export controlled research falls under several regulations, including:

  • International Traffic in Arms Regulation (ITAR, Department of State)
  • Export Administration Regulations (EAR, Department of Commerce)
  • Office of Foreign Assets Control (OFAC, Department of Treasury).

Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation.

Non-U.S. citizens are not allowed to work on this type of project, and this kind of data cannot be stored on systems outside the United States.

U-M Resources

Data Steward

U-M Research Ethics and Compliance, Export Control Officer: [email protected]

Family Educational Rights and Privacy Act (FERPA)

Data Classification Level:
Moderate

Student education records contain information directly related to a student and are maintained by the University of Michigan or by an educational agency or institution. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records.

U-M Resources

Data Steward

University Registrar: [email protected]

Federal Information Security Management Act (FISMA)

Data Classification Level:
Restricted

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for IT systems and store certain data on servers located in the U.S. FISMA applies generally to federal contracts as opposed to grants.

U-M Resources

Data Steward

Michigan Medicine Corporate Compliance: [email protected]

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) affects organizations worldwide, including universities. The GDPR is the primary law regulating how companies and organizations protect the personal data of people located in the European Union (EU).

U-M Resources

Data Examples

  • Any information that relates to the identity of an individual located in the European Union
  • Different pieces of information, which collected together can lead to the identification of a particular person located in the European Union

Contact Information

Gramm-Leach-Bliley Act (GLBA)

Data Classification Level:
High

The Gramm-Leach-Bliley Act (GLBA) includes provisions to protect personal financial information held by financial and higher education institutions.

Departments that run their own student financial aid programs may need to be concerned about GLBA.

U-M Resources

Data Steward

Director, Student Financial Services: [email protected]

External Resources

Health Insurance Portability and Accountability Act (HIPAA)

Data Classification Level:
High

Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes privacy and security rules that govern how PHI is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to ensure data availability and integrity, while limiting access to PHI to only authorized people.

HIPAA privacy and security rules apply only to covered entities in their role as a health care provider, health plan, or health care clearinghouse. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.

U-M Resources

Data Steward

Michigan Medicine Corporate Compliance: [email protected]

External Resources

Payment Card Industry Data Security Standard (PCI DSS)

Data Classification Level:
Restricted

Guidelines for handling credit card information are defined by the Payment Card Industry Data Security Standard (PCI DSS). The University of Michigan Treasurer's Office specifically states: "Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives." If transaction records are needed, use only the last 4 digits of the number of the card.

U-M Resources

Data Steward

University Treasurer: [email protected]

External Resources

Protection of Human Subjects (Common Rule)

Data Classification Level:
High

A human subject is a living individual about whom an investigator (whether faculty member, research scientist or associate, or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained. A human subject's personally identifiable data is sensitive if it would pose increased social/reputational, legal, employability, or insurability risk to the subject if disclosed. Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered to be sensitive.

Sensitive Identifiable Human Subject Research falls under the Protection of Human Subjects (Common Rule) as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation."

U-M Resources

Data Steward

U-M Research Ethics and Compliance, Human Research Protection Program (HRPP): [email protected]

External Resources

Red Flags Rule for Identity Theft Prevention

Data Classification Level:
Moderate

The Red Flags Rule requires businesses that loan customers money, accept payments, or use credit reports to have methods in place to detect and prevent identity theft. The university complies with this Federal Trade Commission requirement through the U-M Identity Theft Prevention Program.

U-M Resources

Data Examples

These are examples of "red flags" that identify theft may have occured:

  • A fraud or active duty alert is included with a consumer report
  • Documents provided for identification appear to have been altered or forged
  • Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor
  • The Social Security number provided is the same as that submitted by other persons opening an account or other customers
  • Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account

Data Steward

Director, Student Financial Services: [email protected]

Social Security Number Privacy Act

Data Classification Level:
High

While Social Security numbers are a type of Personally Identifiable Information (PII), the legal requirements of the Michigan Social Security Number Privacy Act for protecting them are much more stringent than for other PII.

Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. U-M has not used Social Security numbers as identifiers for students and employees since 2004.

U-M Resources

Data Steward

HR Records & Information Services

External Resources