FERPA is the leading federal privacy law for educational institutions. It prohibits the disclosure of "personally identifiable information" not listed as directory information by the institution. View Loyola Marymount University's FERPA statement.
Directory Information includes student's name, address, telephone number, date and place of birth, major field of study, participation in officially recognized sports and activities, weight and height of athletes, dates of attendance, degrees and awards received.
Higher education institutions are tied to this federal legislation due to the processing of federal loans for financial aid.
HIPAA was enacted to protect the rights of patients and participants in health plans. In higher education there are two principles that higher education should consider when complying with HIPAA - the Privacy and Security Standards. The Privacy Standards were passed to ensure the privacy of individually identifiable information when transmitting between employers and providers. The Security Standards are organized in to three categories - administrative, physical, and technical safeguards.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act).
A significant impact of the USA PATRIOT Act on higher education is its mandate to the INS requiring the INS to develop and implement the Student and Exchange Visitor Information System or "SEVIS." SEVIS is an Internet-based system that allows schools to transmit information on foreign students to the INS for purposes of tracking and monitoring. The system compiles students' personally identifiable information including admission at port of entry, academic information, and disciplinary information. FERPA's restrictions have been waived to allow schools to disclose this information, which must be maintained and updated for the duration of a student's stay in the United States.
The Digital Millennium Copyright Act (DMCA), the No Electronic Theft Law (NET Act), and other federal laws make copyright infringement both a criminal offense and provides for civil penalties. You can be prosecuted in criminal court and/or sued for damages in civil court. Criminal penalties for first-time offenders can be as high as five years in prison and $250,000 in fines. Civil penalties can run into many thousands of dollars in damages and legal fees.
California's Security Breach Notification Act (SB 1386) Cal. Civil. Code §1798.82
California was the first state to enact a law requiring notification of a data breach. This law requires any state agency, person, or business that owns or licenses computerized personal information to disclose any breach of a resident's personal information. Person information defined by the Act include an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social security number.
- Driver's license number or California Identification Card number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
As of September 2007, there are 35 other state security breach notification acts that are similar to California's. Federal breach notification legislation is pending.
California's Social Security Number Confidentiality Act Cal. Civil Code §1798.85 - 1798.86
This legislation restricts the use of social security numbers on id cards, posting SSNs on the Internet or requiring users to use their SSN to access a web site that is not encrypted and does not use another personal identification number such as a password to access the site.
California's Online Privacy Protection Act of 2003 (OPPA) Business and Professions Code §22575 - 22579
For more privacy laws pertaining to California, please visit California's Office of Privacy Protection.