Skip to main content
Learn More
This document is a working draft. Readers are cautioned not to use this document as an authoritative reference.

Information Security Program

Appendix B - Potentially Applicable Laws

Appendix B - Potentially Applicable Laws

DRAFT

As summarized below, a number of federal and state laws may also apply to information collected and maintained by University employees. Please direct questions regarding the applicability of these laws and other potential legal issues to the Office of General Counsel.

Computer Fraud and Abuse Act (CFAA)

Enacted in 1984 (and revised in 1994), the CFAA criminalizes unauthorized access to a “protected computer” with the intent to defraud, obtain any information of value or cause damage to the computer. Under the CFAA, a “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication or that is used by or for a financial institution or the government of the United States. For example, the act of “hacking” into a secure web site from an out-of-state computer may violate the CFAA.

Electronic Communications Privacy Act (ECPA)

Enacted in 1986, the ECPA broadly prohibits (and makes criminal) the unauthorized use or interception of the contents or substance of wire, oral or electronic communications. In addition, the ECPA prohibits unauthorized access to or disclosure of electronically stored communications or information. Such prohibitions may apply to University employees who willfully exceed the scope of their duties or authorizations by accessing certain databases housed within the University system. The ECPA does not, however, prohibit the University from monitoring network usage levels and patterns in order to ensure the proper functioning of its information systems.

The Family Educational Rights and Privacy Act (FERPA)

Enacted in 1974, FERPA (also known as the Buckley Amendment) affords students (or parents if the student is a minor) certain rights with respect to the student’s “education records.” As defined under FERPA, the term “education records” encompasses a broad range of materials and information such as disciplinary, financial and academic records established during a given student’s enrollment and maintained in a variety of University databases and other filing arrangements. In particular, FERPA provides that “education records” and personally identifiable information contained therein may not be released or disclosed (including disclosure by word of mouth) without the written consent of the student (or parents, as the case may be). Violations of FERPA may result not only from the unauthorized disclosure of education records but also from the failure to exercise due care in protecting such records against unauthorized access from outsiders. However, even in the absence of express student (or parental) consent, FERPA permits disclosure of education records to University employees who have a legitimate interest in the student and to outside parties in a variety of circumstances, such as those where public health or safety are at issue.

Health Insurance Portability and Accountability Act (HIPAA)

Enacted in 1996, HIPAA sets national privacy standards for the protection of certain types of health information to the extent such information is electronically transmitted by health plans, health care clearinghouses, and health care providers. The University is subject to HIPAA as a provider of employee group health plans. Accordingly, with respect to such health plans, the University has (a) adopted written privacy procedures describing who has access to protected health information, how such information will be used, and when it may be disclosed; (b) required business associates to protect the privacy of such health information; (c) trained employees in the applicable privacy policies and procedures; and (d) designated a Privacy Officer to be responsible for ensuring that such policies and procedures are followed. HIPAA may also apply to certain research activities such as the collection and use of personally identifying health information from patient populations in clinical settings. Further information regarding compliance with HIPAA is available through the University’s Privacy Officer in Risk Management.

The Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (GLBA))

Enacted in 1999, the GLBA requires financial institutions to carefully protect customers’ financial information. Universities are “financial institutions” by virtue of their loan servicing and therefore must comply with GLBA provisions. The GLBA has two relevant components: (1) “safeguarding” rules and (2) privacy rules. All personally identifiable financial information from students, parents, and employees must be safeguarded against foreseeable risks of disclosure, intrusion and systems failure. The University has designated information security program managers in the business units that handle financial information, identified risks to the security of financial information, and is developing security programs to protect against risks. As the privacy standards of GLBA must be followed for all non-student financial information, the University is developing a privacy policy to comply with GLBA and will make required privacy notifications to non-student customers whose financial information is obtained. More information is available on the Federal Trade Commission web site: http://www.ftc.gov/privacy/glbact.

The Technology, Education, and Copyright Harmonization Act (TEACH Act)

Enacted in 2002, the TEACH Act relaxes certain copyright restrictions so that accredited, non-profit colleges and universities may use multimedia content for instructional purposes in technology- mediated settings. However, the TEACH Act carries a number of security requirements designed to ensure that digitally transmitted content will be accessible only to students who are properly enrolled in a given course.

State Laws

In addition to the federal laws summarized above, there may be particular state laws that apply to the handling of confidential information. For example, state laws may govern the collection or use of information regarding children, consumers and other groups. Before establishing new practices with regard to the handling of confidential information, University employees are encouraged to consult the Office of General Counsel in order to determine whether specific Louisiana laws apply.

Subpoenas and Other Compulsory Requests

Many of the federal and state laws described above create exceptions allowing for the disclosure of confidential information in order to comply with investigative subpoenas, court orders and other compulsory requests from law enforcement agencies. Employees who receive such compulsory requests should contact the Office of General Counsel before taking any action.

Vendor Agreements

When negotiating contracts with third party vendors, University employees should consider whether such vendors require access to University databases or to other filing systems containing confidential information. Agreements providing third party vendors with access to such information must ensure that the vendor is subject to obligations of confidentiality that will enable the University to comply with its own obligations under the applicable privacy laws. In addition, such vendors should be contractually obligated to implement data protection and security measures that are commensurate with the University’s practices. By the same token, University employees must be careful not to disclose confidential information entrusted to their care by an outside party, especially when such information is governed by the terms of a confidentiality agreement or clause with that party.