Due to the types of data collected, processed, and stored by Daemen, the college is subject to compliance and audit in regards to several areas of regulatory compliance.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information, and help the healthcare industry control administrative costs.
Healthcare information is among the most private and sensitive information in regular use. Health records have to clear a higher standard of security because they not only must be stored securely but need to be freely reachable by anyone with permission to see them. Because both digital and physical records are common, HIPAA compliance is a little different from other compliance regulations in that it has both Physical Safeguards and Technical Safeguards to follow.
The Family Educational Rights and Privacy Act (FERPA) is a federal privacy law that provides certain protections with regard to education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules.
Educational records are official records, such as grades, Social Security number, driver’s license number or account balance, that can be directly related to an identifiable student. Since Daemen College falls under FERPA legislation, we are required to maintain the confidentiality of students’ educational records.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, companies, and institutions that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
GLBA applies due to the university’s financial relationship with students. A critical part of GLBA is the Safeguards Rule, requiring administrative, technical, and physical safeguards for covered data. Covered data is any personally-identifiable financial information that a customer provides to obtain a financial service or product from Daemen College. Covered data includes Social Security number, credit card number, account balance, passport information, tax return information, bank account information, driver’s license number, and date of birth.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle credit cards. This is a set of rules that outlines the accepted security standards for credit and debit cards, whether they’re used online or in person.
Since the college processes payment card data from credit and debit cards, we must adhere to the Payment Card Industry’s Data Security Standard (PCI DSS). Cardholder data includes the payment card number (known as a Primary Account Number or PAN) and any associated account information, including:
- the cardholder’s name
- the payment card’s expiration date
- the three or four digit verification code
- any other authentication data related to the cardholder.