The Information Security Office is responsible for coordinating compliance with state, federal and international laws and regulations dealing with the security of Carnegie Mellon's information resources. This includes partnering with the Office of General Counsel and impacted business units to implement appropriate policies, procedures and controls to maintain compliance with legal requirements. The following highlights some of these legal requirements.
Data Breach Notification
Laws and regulations exist that require notification of affected individuals when a data security breach has occurred and when certain conditions are met. The Information Security Office coordinates suspected breach response activities including breach investigation and confirmation, as well as the identification and notification of affected individuals when necessary.
When a civil lawsuit is filed, the involved parties engage in a pre-trial process called "discovery" where each party may request documents and other evidence from the other parties or compel the production of evidence using subpoenas or other legal instruments. While Electronically Stored Information ("ESI") has been subject to discovery for several decades, until recently, there were no specific rules governing the discovery of ESI. In 2006, the Federal Rules of Civil Procedure were amended to include several new provisions specific to the preservation and production of ESI. The Information Security Office has partnered with the Office of General Counsel to publish guidance for faculty and stuff who become involved in such a discovery process.
Export Control Regulations
Several agencies of the federal government have published regulations restricting the “export” of certain types of information from the United States without first obtaining an appropriate export license. These regulations include the Export Administration Regulations (“EAR”) administered by the U.S. Department of Commerce, the International Traffic In Arms Regulations (“ITAR”) administered by the U.S. Department of State and embargo regulations administered by the Office of Foreign Asset Controls (“OFAC”) within the U.S. Department of Treasury. The Information Security Office has published guidance researchers who are required to safeguard export controlled materials.
Higher Education Opportunity Act of 2008
In 2008, the Higher Education Opportunity Act (HEOA) was signed into law. In 2009, the U.S. Department of Education published final regulations implementing HEOA. These regulations include provisions designed to stem unauthorized distribution of copyrighted materials, such as music, movies and books. One of these provisions requires that Carnegie Mellon develop and implement a written plan to combat the unauthorized distribution of copyrighted materials by users of the institution's network.
European Union (EU) General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (“GDPR”) imposes data privacy and data protection requirements on entities that control or process personal data about people in the 28 member countries of the European Union (“EU”) as well as countries located in the European Economic Area (“EEA”). GDPR’s requirements apply to entities located outside of the EU who control or process the personal data of anyone who is in the EU, regardless of EU citizenship. The Information Security Office in collaboration with the Office of General Counsel, Data Stewards, and other key stakeholders maintains documentation and guidance for complying with GDPR requirements.