Cyber and Privacy Legal Review

Ohio State must adhere with LEG1.1 (Legal and regulatory review: Applicable legislation and regulations must be identified and reviewed periodically.). To enable you to meet this requirement, we have created the following summary of state, federal, and international laws as well as industry standards. Please familiarize yourself with the following laws and standards and how they might impact work within your organization. We will communicate and note changes to the following tables as necessary. 

We will, when possible, map the following laws and regulations to the ISCR.  When we complete a mapping, we'll notify the Security Coordinators of its availability in the IRMF.

If you have any questions, please send an email to the Security Governance team at riskmgmt@osu.edu.


Last updated: November 1, 2021 (web page launch)

State Laws

The following state of Ohio laws impact Ohio State:

LAWsUMMARYAction required?
OH H 368 Enact Ohio Computer Crimes Act

(Pending, proposed on 2/16/21)
The bill aims to lessen the frequency of cyber-crimes by updating and the modernizing Ohio’s computer crimes laws. It makes electronic data theft and electronic data tampering felonies of the third degree.  House Bill 368 also allows those negatively impacted by a breach to bring a civil action against a person convicted of violating the law. Those impacted may receive compensatory damages, attorney fees, or other equitable relief. In addition, Ohio prosecutors will now be able to prosecute cybercriminals efficiently without trying to prove and calculate damages using limited and outdated sources.Informational
Ohio Legislature Senate Bill 220Senate Bill 220 was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks.

The Ohio State University's Information Security Control Requirements (ISCR) are based on NIST SP 800-53. To see how the ISCR maps to NIST SP 800-53, please see the Information Risk Management Framework (IRMF), appendix "A".
Adhere to the ISCR.
Ohio Revised Code §1347Establishes requirements for notifying Ohio residents in the event that certain personal information is disclosed or reasonably believed to be disclosed to unauthorized persons through a system security breach. Personal information as defined in this law includes an individual's name coupled with his or her Social Security number, driver's license number and/or credit card information. Specific requirements vary depending on the size and certainty of the disclosure.Informational
State of Ohio  Personal Privacy Act 

(Currently in draft)

The Ohio Privacy Protection Act (OPPA) would establish statutory protections for Ohioans’ personal information when used by companies doing business in Ohio. OPPA seeks to balance reasonable privacy standards to protect Ohioans with less bureaucracy and regulation on businesses.

TBD

 

Federal Laws

The following federal laws apply to Ohio State:

lawSummaryAction required?
California Consumer Privacy Act (CCPA)CCPA gives consumers more control over the personal information that businesses collect about them.Informational
Children's Online Privacy Protection Rule (COPPA)COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age. It also governs operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Office of Institutional Equity Activities and Programs with Minor Participants
TBA
Communications Assistance for Law Enforcement Act (CALEA)CALEA preserves the ability of law enforcement agencies to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation.Informational
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)CAN-SPAM sets a national standard for the regulation of email.Informational
Cybersecurity Enhancement ActProvides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.Informational
Cybersecurity Information Sharing Act (CISA)Its objective is to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.Informational
Electronic Communications Privacy Act (ECPA) ECPA expands and revises federal wiretapping and electronic eavesdropping provisions.

Office of the Chief Information Officer Responsible Use of University Computing and Network Resources
Informational
Fair and Accurate Credit Transactions Act (FACTA)

FACTA adds provisions designed to improve the accuracy of consumers' credit-related records.

Office of Academic Affairs Privacy and Release of Student Education Records

Informational
Fair Credit Reporting Act (FCRA)

FCRA protects information collected by consumer reporting agencies such as credit bureaus, medical information companies, and tenant screening services.

Office of Academic Affairs Privacy and Release of Student Education Records

Informational
Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

Office of Academic Affairs Privacy and Release of Student Education Records

Adhere to the ISCR.
Federal Exchange Data Breach Notification ActIn the event of a security breach, this bill requires a health insurance exchange to notify everyone whose personal information is known to have been acquired or accessed. It applies to any system maintained by the exchange. Those affected must be notified as soon as possible but not later than 60 days after discovery of the breach.Informational
Federal Information Security Modernization Act (FISMA)FISMA is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. Organizations who work with federal agencies are must follow FISMA in order to get contracts from federal agencies.  Depending on the language in the contract, follow the "LOW", "MOD", or "HIGH" tags in the ISCR.
Federal Policy for the Protection of Human Subjects ('Common Rule')Known as the "Common Rule," this rule of ethics in the United States governs biomedical and behavioral research involving human subjects.If your organization has human subject research questions or concerns, contact the Office of Responsible Research Practices to ensure compliance.
Federal Trade Commission Act (FTC)Gives the U.S. government a full complement of legal tools to use against anticompetitive, unfair, and deceptive practices in the marketplace. Informational
Gramm-Leach-Bliley Act (GLBA)GLBA requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
 

The Ohio State University's Information Security Standards are based on the National Institute of Standards and Technology's Special Publication 800-53 (NIST SP 800-53).  The university created the Information Security Control Requirements (ISCR) document, which maps non-technical and technical risk areas to NIST SP 800-53 as an industry-standard basis to meet the security requirements of regulations such as GLBA. The university mandates organizations across the university adhere to the ISCR.  We verify that we are meeting this mandate by requiring the completion of Ohio State's Information Security Control Requirements Assessment (ISCR.a) annually and performing ongoing technical testing to demonstrate effectiveness. Ohio State's Internal Audit team, as well as the Office of the Chief Information Officer/Enterprise Security's Security Governance team, reviews the results. Any discrepancies are addressed and remediated. Ohio State's Chief Information Security Officer provides ongoing security posture updates to university security committees as well as to Ohio State's Board of Trustees. To stay ahead of emerging threats and changes to state or federal regulation, Ohio State publishes updates to the ISCR (and other supporting security documentation as needed) periodically throughout the year.

Adhere to the ISCR.
Health Information Technology for Economic and Clinical Health (HITECH)HITECH promotes and expands the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare providers.Informational
Health Insurance Portability and Accountability Act (HIPAA)

HIPAA modernizes the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addresses limitations on healthcare insurance coverage.

To understand how the ISCR maps to HIPAA, please see the Information Risk Management Framework (IRMF), appendix "B".

Wexner Medical Center Compliance and Integrity Protected Health Information and HIPAA Policy

Adhere to the ISCR control requirements with the "HIPAA" tag.
Homeland Security ActThe Homeland Security Act includes the Federal Information Security Management Act (FISMA), which requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.

The Ohio State University's Information Security Control Requirements (ISCR) are based on NIST SP 800-53 "Low". 
Informational
International Traffic in Arms Regulations (ITAR)ITAR restricts and controls the export of defense and military-related technologies to safeguard U.S. national security and further U.S. foreign policy objectives.If your organization has export control/ITAR questions or concerns, contact the Office of Secure Research to ensure compliance.
Telephone Consumer Protection Act (TCPA)

TCPA restricts telemarketing calls and the use of automatic telephone dialing systems and artificial or prerecorded voice messages.  Prior express consent is a requirement.

Ohio State Privacy Office SMS Texting Information

Informational


Industry Standards

The following industry standard(s) impact Ohio State:

Industry StandardSummary

Action Required?

Control of Unclassified Information (CUI)

DFARS 252.204-7012, NIST SP 800-171

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. It is a data classification below Classified, but still pertinent to data sensitive to national security.

Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

Adhere to the ISCR control requirements with the "CUI" tag.

If your organization has 
CUI questions or concerns, contact the Office of Secure Research to ensure compliance.
Cybersecurity Maturity Model Certification (CMMC) The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to more advanced protections.  It governs the security of Controlled Unclassified Information.

The Security and Privacy Governance team (SPG) is working with the Office of Secure Research to ensure the university is fully adhering to NIST SP 800-171 (where applicable) and to the newly-released Cybersecurity Maturity Model Certification (CMMC). In doing so, specific areas within the university must self-assess and report complete adherence against NIST SP 800-171 and achieve a level 3 certification performed by a CMMC Third Party Assessment Organization (C3APO).  A level 3 certification is the minimum level a specific area within an organization must achieve when dealing with Controlled Unclassified Information (CUI).  Once the university achieves a level 3 certification, the Department of Defense (DoD) may award Ohio State DoD contracts.  

If your organization has CUI questions or concerns, contact the Office of Secure Research to ensure compliance.

Payment Card Industry (PCI)PCI enhances global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.

To understand how the ISCR maps to PCI, please see the Information Risk Management Framework (IRMF), appendices "E-K".
Organizations with merchant IDs must comply with the PCI's Data Security Standards. Contact the Office of the Treasurer for more information.


International Laws

The following international law(s), to a degree, impact Ohio State:

LawSummaryAction Required?
General Data Protection Regulation (GDPR)

This European Union (EU) regulation covers data protection and privacy for European residents in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. 

For additional information regarding Ohio State’s GDPR statement, please visit the following link: https://it.osu.edu/privacy/gdpr-statement.
Lei Geral de Proteção de Dados (LGPD, translated: General Personal Data Protection Law)

The LGPD is applicable to businesses of all sizes. It provides exceptions only in a few enumerated instances, such as where data are collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense. The LGPD also provides for extraterritorial jurisdiction. Under Article 3, a personal data processor is subject to the law when the data is either collected or processed within Brazil or the data is processed for the purpose of offering goods or services to individuals in Brazil. Accordingly, as long as one of these conditions is met, regardless of the nation in which the company is headquartered, the LGPD is fully applicable.

Informational
Personal Data Protection Bill (India)

(Pending final approval by Parliament)

India’s Personal Data Protection Bill sets out to align India's data protection regime with the EU’s General Data Protection Regulation. It protects citizens' data as well as the cross-border flow of data. It also creates a Data Protection Authority (DPA), which is entrusted with regulating the interests of individuals pertaining to data protection.

Informational
Personal Information Protection Law (China)China's Personal Information Protection Law creates the country’s first comprehensive set of data protection rules.  More information to follow.Informational