Why Compliance Matters: Protecting Our Institution, Data, and Reputation
Data is one of our most valuable assets in today's digital landscape. As a leading institution handling a vast array of sensitive information—from financial and health records to research and student data—we must adhere to strict security and regulatory frameworks. Compliance with these frameworks is not just a legal obligation; it is a fundamental responsibility that ensures our data's integrity, confidentiality, and availability while safeguarding the trust placed in us by students, employees, partners, and the broader community.
The Importance of Compliance
1. Protecting Sensitive Data
We manage Controlled Unclassified Information (CUI), financial records (GLBA, PCI), health information (HIPAA), student records (FERPA), and global data (GDPR). Failure to comply with these regulations can result in unauthorized access, identity theft, financial fraud, or data breaches, putting individuals and the institution at risk.
2. Avoiding Legal and Financial Consequences
Non-compliance can lead to severe penalties, lawsuits, and regulatory fines. CMMC Level 2, HIPAA, and PCI impose stringent security requirements, and violations could result in:
- Fines and legal actions that may cost millions of dollars.
- Loss of federal funding and contracts, directly impacting research and operational budgets.
- Damage to partnerships and reputation, making it harder to collaborate with industry leaders and government entities.
3. Maintaining Institutional Trust and Reputation
Trust is at the core of our institution’s success. A data breach or regulatory failure can erode the confidence of students, parents, faculty, and stakeholders. Compliance ensures we maintain ethical standards, transparency, and accountability in managing sensitive data.
4. Enabling Business Continuity and Operational Efficiency
A structured compliance framework fosters proactive risk management, preventing incidents before they disrupt operations. By integrating security best practices, we enhance resilience against cyber threats, ensuring that critical services remain uninterrupted.
5. Meeting Federal and Industry Standards
As a research institution and an organization engaged in federal contracts, we are required to meet CMMC Level 2 standards for handling Controlled Unclassified Information (CUI). Compliance with frameworks like HIPAA, GLBA, and PCI ensures that we meet federal and industry mandates, allowing us to continue working with government agencies and commercial partners.
Compliance Is a Shared Responsibility
Faculty, staff, and students play a role in ensuring compliance. We collectively strengthen our institution's security posture by following security policies, completing mandatory training, and adhering to data handling best practices.
What You Can Do
- Follow data security policies and best practices.
- Use secure systems for storing and transmitting sensitive information.
- Report security concerns or potential compliance issues.
- Stay informed through mandatory training and institutional guidelines.
By prioritizing compliance, we protect our data, maintain regulatory approval, and uphold the trust of our community and partners. Compliance is not just about following rules but safeguarding our future.
Ensuring Compliance in Contracts
Every contract we sign must align with our security, privacy, and regulatory obligations to protect institutional and stakeholder data. Vendors handling CUI (CMMC Level 2), health data (HIPAA), financial records (GLBA, PCI), student records (FERPA), and global personal data (GDPR) must meet our security standards. To mitigate risk, contracts should include data protection terms, breach notification requirements, liability clauses, and audit rights. Ensuring vendor compliance is a key part of our Third-Party Risk Management strategy, helping us safeguard sensitive data, reduce legal exposure, and maintain trust in our partnerships. Always consult Procurement or Legal teams before signing agreements.
Contracts for Open Source and Free Software
Even when using open-source or free software, contracts, and agreements remain essential to ensure security, compliance, and proper usage rights. Open-source licenses vary widely; some may include data usage clauses, security vulnerabilities, or legal obligations that could pose risks to our institution. By reviewing terms and establishing clear agreements, we can protect sensitive data, ensure regulatory compliance (CMMC, HIPAA, GLBA, GDPR), and mitigate legal exposure. Always consult Legal and Compliance teams before integrating open-source tools into our environment.
Many regulations apply to data handled by ASU. To determine the regulations that apply to your data, use our Data Classification Tool. If you already know which regulations apply, see which Enterprise Technology systems can be used to store regulated data with the Data Storage Selector Tool. Below you will find additional resources on some of these regulations:
Family Education Rights and Privacy Act (FERPA)
The federal Family Educational Rights and Privacy Act (FERPA, also called the Buckley Amendment) affords students certain privacy rights regarding their education records. The full text of FERPA is available at (20 U.S.C. § 1232g; 34 CFR Part 99)
ASU defines FERPA Education Records as “Any record(s) directly related to a student and maintained by ASU or by a party acting for the university. Education records include any information or data recorded in any medium, including but not limited to handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.”
ASU Data Handling Tip: FERPA Education Records should not be used, viewed, or processed without a “Legitimate Educational Interest” as defined by FERPA.
Other than disclosure to the student, disclosure to any other parties requires either written consent of the student, or the application of a FERPA exception.
For additional details, please see the following ASU resources:
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA), coupled with the Red Flags Rule, is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (called Non-Public Information or NPI), ensuring the confidentiality and security of personal financial information. The full text of GLBA is available at (15 U.S.C. § 6801 et seq.)
ASU Data Handling Tip: The GLBA applies to FASFA application data and data gathered for and used in the delivery of a financial service, specifically federal financial aid.
Health Information Portability and Accountability Act (HIPAA)
Protected Health Information (PHI) is individually identifiable health information, including demographic information, that is created or received by a HIPAA Covered Entity and that relates to the past, present, or future physical or mental health of an individual, provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual. PHI is protected by HIPAA, the Health Insurance Portability and Accountability Act. The full text of HIPAA is available at (42 U.S.C. § 1320d et al., 45 C.F.R. Parts 160 and 164)
To learn more about PHI at ASU, please visit ASU’s Get Protected page.
ASU Data Handling Tip: There are 8 units/departments that are included in the ASU Covered Entity under HIPAA regulations. For a list of those covered entities, please click here.
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is a category of information in the United States federal government that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, but is not classified under Executive Order or the Atomic Energy Act. To learn more about CUI, please visit the National Archive’s information page for CUI.
ASU Data Handling Tip: If you are handling CUI, your ASU-managed device must be encrypted by your IT Support Unit, and you must follow stringent security controls.
For more about compliance in Highed Education please click Higher Education Compliance Matrix
ABOR Policies
ABOR Policy 9-202F states that, "Each university shall establish an Information Security Committee. The Committee will review and recommend information security policies and standards, and provide guidance and support to the Information Security Officer or Information Security Director for the implementation and maintenance of the Program."
ABOR Policy Manual
ABOR Policy on Information Security
A.R.S. 18-552 - Arizona Data Breach Notification Statute
The following is the Arizona State Statute regarding notification requirements in the event of a data breach involving personal information. Please note that any breach, suspected breach, or suspected loss of data should be reported through the Information Security Incident Response process
18-552 Arizona Breach Statute
18-551 Definitions
A.R.S. 38-448 - State employees; access to internet pornography prohibited; cause for dismissal
Arizona law allows for the dismissal or discipline of state employees who use state-owned equipment to view material or services that depict nudity or sexual activity, unless the employee has the authorization of the agency head. The statute governs all ASU employees, including student employees.
More Information regarding computer use at ASU
A.R.S. 13-2316 - Computer Tampering
Arizona law considers the tampering with of state computer systems to be a class 3 felony. This includes "[a]ccessing, altering, damaging or destroying any computer, computer system or network" with malicious intent or using state networks or computer systems "recklessly."
More information regarding the state Computer Tampering statute
California Consumer Privacy Act (CCPA)
The CCPA grants California residents (ASU has resident students in California) significant control over their personal information. It lets consumers know what data businesses collect about them, request deletion, and opt out of data sales. The CCPA applies to for-profit businesses meeting specific criteria, such as annual revenues over $25 million or handling data of 100,000 or more California residents. Non-compliance can result in fines of up to $7,500 per violation, and consumers can sue if their data is exposed due to inadequate security.
New York SHIELD Act
The SHIELD Act strengthens New York's data breach notification requirements and mandates appropriate security measures to protect personal information. It expands the definition of private information to include biometric records and login credentials. Businesses must adopt administrative, technical, and physical safeguards, such as employee training and intrusion detection systems. Non-compliance may lead to civil penalties and legal action from the state attorney general.
Non-Arizona State Privacy Laws
Many US states have passed comprehensive privacy laws. These state laws are generally one of two main types: Those that contain organizational exemptions for public-sector organizations or higher education institutions like ASU, and those that exempt specific types of data that are governed by other regulations such as FERPA, HIPAA, and GLBA. Other data collected by ASU from data subjects in these states may be subject to these laws.
Most of these laws require common privacy best practices, including:
| Ensuring rights for data subjects (individuals): | Mandating organizational responsibilities, such as: |
|---|
- Right to access
- Right to correct/amend
- Right to delete / right to be forgotten
- Right to data portability
- Right to opt out of certain uses, such as:
- Sale of personal data
- Targeted advertising
- Some types of profiling
| - Provide a transparent privacy policy
- Collect consent for the use of sensitive data
- Limit data use to the purpose for which it was collected
- Limit data collection to what is reasonably necessary for that purpose
- Delete or anonymize data when no longer needed for that purpose
- Secure personal data
- Conduct data privacy impact assessments for any high-risk uses of personal data
|
PCI Compliance (payment card industry)
ASU Cybersecurity requires that all departments with a business requirement to process cards are in compliance with the current PCI DSS Data Security Standards.
Workstation/device hardening standards - ASU has adopted the Center for Internet Security (CIS) standards for hardening servers, workstations and mobile devices.
Please visit the ASU PCI compliance merchant services site for more information.
Defense Industry: DFARS (Defense Federal Acquisition Regulation Supplement)
DFARS includes cybersecurity requirements for defense contractors working with the Department of Defense (DoD). Contractors must implement NIST SP 800-171 controls to protect Controlled Unclassified Information (CUI) and report cybersecurity incidents to the DoD. Compliance is critical for securing defense contracts; failure can result in disqualification from defense projects.
The Cybersecurity Maturity Model Certification (CMMC) adds accountability by requiring contractors to meet specific cybersecurity maturity levels based on the sensitivity of the information handled. With the necessary certification level, businesses can bid on defense contracts.
ASU's CMMC specific pages can be found here
The International Traffic in Arms Regulations (ITAR)
The US Department of State is responsible for the export and temporary import of defense articles and services governed by 22 U.S.C. 2778 of the Arms Export Control Act ("AECA"; see the AECA Web page) and Executive Order 13637. The International Traffic in Arms Regulations ("ITAR," 22 CFR 120-130) implements the AECA. Arizona State University is required to observe all ITAR regulations in dealing with research articles, that pertains to defense.
More information about ITAR is available here: US State Department ITAR Information
Many countries have passed comprehensive privacy laws, some of which may apply to data handled by ASU, even when the handling occurs within the United States. Foreign privacy laws include:
- General Data Protection Regulation (GDPR) from the European Union / European Economic Area
- General Data Protection Regulation (GDPR UK) from the United Kingdom
- Personal Information Protection Law (PIPL) from the Peoples Republic of China
- Lei Geral de Proteçao de Dados (LGPD) from Brazil
- Digital Personal Data Protection Act (DPDP Act) from India
- Personal Information Protection Act (PIPA) from South Korea
And many more
Most of these laws require common privacy best practices, including:
| Ensuring rights for data subjects (individuals): | Mandating organizational responsibilities, such as: |
|---|
- Right to access
- Right to correct/amend
- Right to delete / right to be forgotten
- Right to restrict processing
- Right to data portability
- Right to object
- Right to not be subject to decisions based solely on automated processing
- Right to opt out of certain uses, such as:
- Sale of personal data
- Targeted advertising
- Some types of profiling
| - Provide a transparent privacy policy
- Only collect or use data under a specified legal basis
- Collect consent for the use of sensitive data
- Limit data use to the purpose for which it was collected
- Limit data collection to what is reasonably necessary for that purpose
- Delete or anonymize data when no longer needed for that purpose
- Secure personal data
- Conduct data privacy impact assessments for any high-risk uses of personal data
|
