Related Rules and Compliance

In addition to Massachusetts regulations 201 CMR §17 (.pdf), handlers of PIRN should also be aware of these other laws and regulations regarding personal information:

Federal or State Regulations

Massachusetts Data Breach Notification Law: Chapter 93H
This MA law requires that businesses and government agencies notify residents of data breaches in certain situations. Notification to the Attorney General, the Director of Consumer Affairs and Business Regulation and the affected resident is required if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." These breaches include hard copy as well as electronic data.

The law defines "personal information" as a resident's first name and last name, or first initial and last name in combination with any one or more of the following:

1) Social Security number, 2) driver's license number or state-issued identification card number or 3) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.

Family Educational Rights and Privacy Act (FERPA)
Although student education records which include an individual's Social Security number, financial account number or other PIRN are covered by this Information Security Program, all student records, regardless of whether they contain PIRN, are also subject to the requirements of FERPA. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protect the confidentiality of many student records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. For more information, see MIT’s Student Information Policy.

Payment Credit Industry Data Security Standards (PCI DSS)
Personal credit card information is PIRN and is covered by this Information Security Program. Additionally, MIT merchants who accept personal credit cards must also follow MIT's Merchant Policies that include MIT's PCI DSS Policy. If a merchant agrees to accept credit cards as a form of payment, Payment Card Industry (PCI) Compliance is a requirement and is intended to help merchants protect their customers from fraudulent transactions.

Health Insurance Portability and Accountability Act (HIPAA)
The federal Health Insurance Portability and Accountability Act (HIPAA) requires MIT as a health care provider to maintain the confidentiality of electronic health information that can be linked to an individual patient (electronic Protected Health Information, or ePHI). For information about protected health information maintained by MIT Medical, see MIT's Medical Privacy page and MIT's Medical Privacy Policy.

Gramm Leach Bliley Act (GLBA)
The GLBA requires “financial institutions” to adopt certain privacy safeguards. Insofar as “covered transactions” under GLBA include an individual's financial account number, this Information Security Program would also cover them.

FACTA "Red Flag Rules”
Section 114 of the Fair and Accurate Credit Transactions Act (FACTA), also known as the Red Flag Rules, requires that all organizations subject to the legislation must develop and implement a written "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft in connection with the opening of certain new and existing accounts. In accordance with federal regulations, MIT has adopted an Identity Theft Prevention Program(pdf). The safeguards referenced in the Identity Theft Prevention Program are the same as the minimum-security standards referenced in this Program.

MIT policy requirements

All policies related to handling data are listed on the Laws and Policies page. If you are handling sensitive data, know in particular MIT Policies 11.0 and 13.0. Learn and teach others about the level of sensitivity for the data being handled in your area and which guidelines should be followed as well as which legal regulations apply to this type of data (e.g. FERPA or HIPAA). Understand what you can do to protect this information and what the implications are of disclosure.