Laws, Policies, and Regulations

All members of the community must pay special attention any time sensitive information crosses their desks, as required by both MIT Policy and Federal and State laws.

MIT Policies

MIT Policy 11.0 on Privacy and Disclosure of Information

MIT Policy 13.2 on use of Information Technology

IS&T Policy: DHCP Usage Logs

IS&T Policy: Web Server Access Logs

IS&T Policy: User Accounts Password

IS&T Policy: User Accounts

IS&T Policy: IT Staff Access to Confidential Data

IS&T Policy: Google Analytics

Protections by the Commonwealth of Massachusetts

Data Breach page on the website.

Massachusetts Data Breach Security Law - The Commonwealth’s Data Breach Security Law, Mass. General Law, Chapter 93H, has been in effect since October 31, 2007. It outlines when businesses and government agencies should notify residents of data breaches.

Massachusetts Regulations (.pdf) - The Office of Consumer Affairs in Massachusetts created 201 CMR 17.00. These are the standards for the protection of personal information of residents of the Commonwealth. They were approved in Sept. 2008, and are effective as of March 1, 2010.

Federal Laws and Regulations

Family Educational Rights and Privacy Act (FERPA) - Student records are covered by the requirements of this act.

Payment Credit Industry Data Security Standards (PCI DSS) - Personal credit card information is covered by these data security standards and apply to anyone who is a merchant or handles credit card and debit card transactions.

Health Insurance Portability and Accountability Act (HIPAA) - Describes protections for health information.

Gramm Leach Bliley Act (GLBA) - Requires financial institutions to protect nonpublic personal information.


Security Breach Notification Laws by State - Most of the US states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.