Security: Federal IT Policies

There may be broken links in this article, the GROK staff has been notified and is working to resolve the issue.
  • DMCA    The Digital Millennium Copyright Act of 1998

The 1998 enactment of the Digital Millennium Copyright Act seeks to update U.S. copyright law for the digital age in preparation for ratification of the World Intellectual Property Organization (WIPO) treaties. Key among the topics included in the DMCA are provisions concerning the circumvention of copyright protection systems, fair use in a digital environment, and online service provider (OSP) liability (including details on safe harbors, damages, and "notice and takedown" practices).

Louisiana State University DMCA Policy and Agent Information

Under the Digital Millennium Copyright Act of 1998 (DMCA), it is the policy of Louisiana State University to expeditiously investigate notices of copyright infringement and to act on infringing activity in an appropriate manner.  In accordance with the DMCA, any activity that may constitute a copyright infringement should be reported in writing to the University's DMCA agent. The designated DMCA agent at Louisiana State University is:

Sumit Jain
Chief IT Security & Policy Officer
200 Frey Computing Services Center
Louisiana State University
Baton Rouge, LA 70803
Telephone: 225-578-3700
Fax: 225-578-3709


  • FERPA    The Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act of 1974, also known as the Buckley Amendment, is a federal law that protects the privacy of student “education records.” “Education records” are defined, with a few exceptions, as records containing information directly related to a student that are maintained by a school or its agent (including electronic records). FERPA prohibits schools from disclosing education records, or personally identifiable information in those records, other than certain basic directory information, without the student’s prior written consent, or the parent’s consent if the student is under the age of 18. The student may even request that directory information be withheld. Some exceptions do apply, such as cooperation in criminal investigations.

Disclosure is defined as permitting access to, or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic. Exposing student education records to unauthorized access due to inadequate security measures may arguably constitute a disclosure in violation of FERPA. Other FERPA obligations may be affected by security and system integrity breaches. FERPA provides students the right to access and petition to correct their records, and a security breach might result in the loss or alteration of student records. Similarly, FERPA requires schools to track disclosures of education records to third parties and maintain a database of students who opt-out of directory information disclosures. Security breaches may impair a school’s ability to perform these functions.

Under the terms of FERPA, Louisiana State University (LSU) has established the following as Directory Information and may be released to those requesting it unless the student specifically requests otherwise by submitting written notification in person to the Office of the University Registrar:

  • Student Name
  • Local Address/Phone
  • Home Address/Phone
  • E-mail Address
  • Date & Place of Birth
  • Degrees and Awards/Honors Received and Dates
  • Dates of Attendance (Current and Past)
  • Full or Part-Time Enrollment Status
  • Participation in Officially Recognized Sports
  • Weight/Height of Member of Athletic Teams
  • Most Recently Attended Educational Institute
  • Major Field of Student/Classification

All other information may not be released without written consent of the student. Grades, LSUID’s, Ethnic Backgrounds and Student Schedules may not be released to anyone without the student’s written consent other than the student and NEVER over the phone. Please note that students may restrict Directory Information at any time and that if the student restricts the release of Directory Information, a special overlay screen appears when you attempt to access the student’s record on the SRR database; no information may be released on that student without further written permission.

Further information on FERPA can be found at:


  • GLBA    Gramm-Leach-Bliley Act: Financial Privacy and Pre-texting of 1999

The Gramm-Leach-Bliley Act was signed into law in 1999 and is applicable to financial institutions, including colleges and universities. Under GLBA, institutions are obliged to protect customer financial information. The GLBA requires companies and organizations to ensure the security of personally identifying information of financial institution customers, such as names, addresses, account and credit information, and Social Security numbers. In addition, the GLBA sets forth extensive privacy rules, which require covered financial institutions to provide customers with privacy statements describing company privacy practices. However, the Federal Trade Commission’s (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with FERPA.

More information on GLBA can be found at:


  • HIPAA    Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act, enacted by Congress in 1996, was intended to create a national standard for the protection of personally identifiable information relating to health care. HIPAA requires entities to: adopt written privacy procedures that describe who has access to protected information, how such information will be used, and when the information may be disclosed; require their business associates to protect the privacy of health information; train their employees in their privacy policies and procedures; take steps to protect against unauthorized disclosure of personal health records; and designate an individual to be responsible for ensuring the procedures are followed. Education institutions may be obligated to comply with HIPAA in connection with a broad range of activities.

HIPAA requires protection of "Protected Health Information." Protected health information is:

  • Individually identifiable health information
  • Maintained or transmitted
  • In whatever form the information exists, including oral communications

Individually identifiable health information is a subset of all health information collected from an individual that is:

  • Created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  • Relates to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual or payment for the provision of health care to an individual; and
  • Identifies the individual or could be used to identify the individual.

The term "individual" includes deceased persons and may include minors.

Typically, the following types of records and activities involve Protected Health Information and are subject to regulation:

  • Medical records, including electronic and paper medical records consisting of case histories, clinical records, diagnostic films and test results as well as treatment charts and progress reports. Medical information transmitted orally may also be considered Protected Health Information.
  • Other health information, including insurance information such as claims submission, adjudication and payment, eligibility determination and reporting, utilization review, referrals and authorizations, grievance and appeals, and medical management information such as utilization management.

More information on HIPAA may be found at

10/15/2019 7:27:54 AM