MUSC, and its faculty, staff and students, are required to comply with many different state and federal laws, regulations, and rules. MUSC is also required to meet a number of different accreditation standards. In addition to meeting these external, compliance-related and accrediation-related rules and regulations, we have an ethical duty to protect the privacy and security of much of the electronic information that is entrusted to our care.
To enable its faculty, students and staff to understand their role in meeting these obligations, MUSC has a number of enterprise-wide policies related to information security. This document provides references to some of the statutes, regulations, codes, and other standards that have a direct or indirect impact on these information security policies.
(S.C. Code of Laws 30-1-10 et seq.) Public Records Act - establishes legal and administrative requirements for records kept by state agencies, including electronic records.
(S.C. Code of Laws 30-2-10 et seq.) Family Privacy Protection Act of 2002 - state agencies must develop policies and procedures to protect the privacy of the citizens they serve.
(S.C. Code of Laws 30-4-10 et seq.) Freedom of Information Act (FOIA) - provisions for public access to many types of agency records.
(S.C. Code of Laws 16-16-10 et seq.) Computer Crime Act - prohibitions associated with unauthorized use, access, or modification of computers, computer systems, and networks.
(S.C. Code of Laws 16-3-850) Film processor or computer technician to report film or computer images containing sexually explicit pictures of minors.
(Act No. 190, 117th Session, 2007-2008) SC Financial Identity Fraud and Identity Theft Protection Act of 2008.
(S.C. Code of Regulations Chapter 12) SC Department of Archives and History - these regulations include general retention schedules for various types of agency records, including electronic records; see latest guidelines from SCDAH.
(5 U.S.C. Sec. 552) Freedom of Information Act (FOIA) - provision for access to many types of records that are exempt from acccess under the Privacy Act, including some categories of personal information.
(5 U.S.C. Sec. 552a) Privacy Act - collection, notification, disclosure, and handling requirements for personal data.
(18 U.S.C. Sec. 1030) Computer Fraud and Abuse Act - prohibitions associated with unauthorized access and use of electronic systems.
(18 U.S.C. Sec. 2510 et seq.) Wiretap Statute - prohibitions associated with the use of eavesdropping technology and the interception of electronic mail, radio communications, data transmission, and telephone calls without consent.
(18 U.S.C. Sec. 2701 et seq.) Electronic Communications Privacy Acy (ECPA) - prohibits the providers of electronic communications services from disclosing the contents of stored communications.
(18 U.S.C. Sec. 2703) Requirements for Government Access - rules for government agencies' obtaining dislosure of stored electronic communication or transactional records from a provider of such services.
(20 U.S.C. Sec 1232g) Family Education Rights and Privacy Act (FERPA) - the protection, accessibility and disclosure of education records and the ability to ensure their completeness and accuracy by a student or the parent of a minor student.
(47 U.S.C. Sec. 1001 et seq.) Communications Assistance for Law Enforcement Act (CALEA) - preserving law enforcement's ability to engage in lawful electronic surveillance in the face of new technological developments.
(16 CFR Part 314; Federal Register, May 23 2002) Gramm-Leach-Bliley Act (GLBA) FTC Safeguards Rule - requires institutions that provide financial services (including universities) to have a security plan to protect the confidentiality and integrity of customer information.
(Pub. L. 104-191 Sec. 262, 264; 45 CFR Part 164; Breach Notification Rule) Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy and HITECH Breach Notification Rules - rules for the security and privacy of individually identifiable health information that is maintained or transmitted by a covered entity and its business associates.
(21 CFR Part 11) Electronic Records; Electronic Signatures - Food and Drug Administration (FDA) regulations that set forth the criteria under which electronic records and electronic signatures will be considered trustworthy and reliable; see latest status and guidance on these regulations from the FDA.
(Pub. L. 105-304; US Copyright Office Summary) Digital Millennium Copyright Act of 1998 (DMCA) - prohibitions relating to the circumvention of technological copyright protections, and the integrity of copyright management information; certain limitations on online service provider liability, and special rules regarding the liability of nonprofit educational institutions.
(Pub. L. 107-056) Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) - a variety of special laws specific to countering terrorist acts, including provisions allowing FBI access to any business record, and a student monitoring program.
Joint Commission on Accreditation of Healthcare Organizations (JCAHO) - an independent, not-for-profit organization, JCAHO accredits nearly 17,000 health care organizations nationwide. JCAHO specifically evaluates information security practices as elements of performance within the Information Management (IM) program.
Southern Association of Colleges and Schools (SACS) Commission on Colleges - the regional accrediting body for institutions that award associate, baccalaureate, master's or doctoral degrees in the eleven US Southern states. The SACS COC Principles of Accreditation specifically require protecting the security, confidentiality and integrity of student records, and maintaining appropriate control over all financial and physical resources.