MIT policy requirements
If you are handling sensitive data, know the MIT policies that apply (in particular MIT Policies 11.0 and 13.0). Learn and teach others about the level of sensitivity for the data being handled in your area and which guidelines should be followed as well as which legal regulations apply to this type of data (e.g. FERPA or HIPAA). Understand what you can do to protect this information and what the implications are of disclosure.
Know the federal and state laws and the obligations they impose on MIT to protect the confidentiality of information for students, employees and patients. These laws include:
Massachusetts Data Breach Notification Law: Chapter 93H
This MA law requires that businesses and government agencies notify residents of data breaches in certain situations. Notification to the Attorney General, the Director of Consumer Affairs and Business Regulation and the affected resident is required if it "knows or has reason to know of a breach of security" or "knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose." These breaches include hard copy as well as electronic data.
The law defines "personal information" as a resident's first name and last name, or first initial and last name in combination with any one or more of the following:
1) Social Security number, 2) driver's license number or state-issued identification card number or 3) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
The federal Health Insurance Portability and Accountability Act (HIPAA) requires MIT as a health care provider to maintain the confidentiality of electronic health information that can be linked to an individual patient (electronic Protected Health Information, or ePHI).
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protect the confidentiality of many student records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
If a merchant agrees to accept credit cards as a form of payment, Payment Card Industry (PCI) Compliance is a requirement and is intended to help merchants protect their customers from fraudulent transactions.