Related Rules and Regulations
In addition to Massachusetts regulations (201 CMR §17), handlers of PIRN should also be aware of these other laws and regulations regarding personal information:
Family Educational Rights and Privacy Act (FERPA)
Although student education records which include an individual's Social Security number, financial account number or other PIRN are covered by this Information Security Program, all student records, regardless of whether they contain PIRN, are also subject to the requirements of FERPA. For more information, see MIT’s Student Information Policy.
Payment Credit Industry Data Security Standards (PCI DSS)
Personal credit card information is PIRN and is covered by this Information Security Program. Additionally, MIT merchants who accept personal credit cards must also follow MIT's Merchant Policies that include MIT's PCI DSS Policy.
Health Insurance Portability and Accountability Act (HIPAA)
Gramm Leach Bliley Act (GLBA)
The GLBA requires “financial institutions” to adopt certain privacy safeguards. Insofar as “covered transactions” under GLBA include an individual's financial account number, this Information Security Program would also cover them.
FACTA "Red Flag Rules”
Section 114 of the Fair and Accurate Credit Transactions Act (FACTA), also known as the Red Flag Rules, requires that all organizations subject to the legislation must develop and implement a written "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft in connection with the opening of certain new and existing accounts. In accordance with federal regulations, MIT has adopted an Identity Theft Prevention Program (pdf). The safeguards referenced in the Identity Theft Prevention Program are the same as the minimum-security standards referenced in this Program.