The Catholic University of America

Responsibilities of Director of Academic Technology Services/Information Security Officer

Federal Laws

Family Educational Rights to Privacy Act of 1974 (FERPA)

Summary of the Law:
Regulates the keeping and dissemination of student records at all institutions that receive federal funds or who have students receiving federal funds. Procedures must be in place to allow a student access to student records. Consent must be obtained to release student records to a third party, with certain exceptions contained in the law.

Required Action:
The Info Security Officer assists staff in encrypting electronic transfers of data, and also overseas requests for listsserv distribution to students. The Info Security Officer is consulted on contracts outsourcing functions that involve contractor access to education records.

Trademark Act of 1946

Trademarks used in interstate commerce are protected under the Trademark Act of 1946, also known as the Lanham Act. Unlike copyrights and patents, trademarks may be protected under state law, federal law, or both. Registration is not necessary for the protection of a trademark.
The Director of ATS is responsible for fielding complaints about misuse of CUA trademarks in the digital environment, and coordinating with OGC as needed.

Digital Millennium Copyright Act Title II: Online Copyright Infringement Liability Limitation
The Digital Millennium Copyright Act (DMCA) makes major changes to copyright law, and attempts to address copyright in the digitally networked environment.

The Director of ATS has responsibility for content provider complaints posted into the online DMCA database. This position generates email to students about whom a complaint of copyright infringement is received, and follows up with students who do not view the DMCA video and take the quiz by forwarding this information to the Dean of Students for action. OGC has operational responsibility for complaints of infringement where notice and takedown provisions are implicated. See flowchart for details.

N.B. Eligibility for the limited university liability under the DMCA hinges on the university adopting and reasonably implementing a policy that provides for termination in appropriate circumstances of the computer privileges of users who are repeat infringers. The ISP does not need to monitor its service (i.e., monitor its students' Web pages) or go looking for copyright infringements in order to be eligible for the ISP immunity under this law. If the university receives a complaint from a copyright owner or his/her agent that a student is unlawfully making available digitized copies of copyright-protected material through use of the university's computer networks, the complaint will be forwarded to the student who will be asked to remove the copyrighted material. The student will also be asked to read the CUA Computer Ethics Policy, complete an online tutorial on copyright law, and certify to Academic Technology Services that these actions have been taken. Failure to honor this request and complete these steps within 72 hours will result in a temporary block being placed on Internet access to the student's personal computer. In addition, first time offenders may be referred for disciplinary action under the Code of Student Conduct if the infringement is egregious, and the student's Internet access will be blocked immediately. If the University receives notification of copyright infringement with regard to a student who has already committed an infringement, the student will be referred for disciplinary action under the Code.

EDUCAUSE Commentary on Proposed HEOA Regulations Issued For P2P Provisions
Summary of requirements in regulations by Steve Worona, August 25, 2009.

Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act)

Summary of the Law
This law requires a safeguarding program, including identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluating the effectiveness of the current safeguards for controlling these risks; designing and implementing a safeguards program, and regularly monitoring and testing the program.

The Director of Academic Technology Services has been designated as the Information Security Policy Coordinator under GLB. The following tasks are included: Help the relevant offices of the University identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program and regularly monitor and test the program. Conduct training on information security on a regular basis. Broad principles are set forth in the Information Assurance Policy. Any necessary procedures are to be put in place by the Director of ATS.

Fair Credit Reporting Act and Red Flag Rules
Summary of the law
If the school meets the definition of a creditor under the FCRA (any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit, see 15 USC 1691a), then the school has several obligations under the final rules, which include periodically determining if it maintains covered accounts, and if it does, then developing and maintaining an identity theft program for those accounts, which has been approved by the Board of Directors or an appropriate committee, among other items (see 16 CFR 681.2). 

The latest notice delays enforcement until Dec. 31, 2010. Congress will consider legislation addressing the scope of the rule. As was the case previously, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R.§641), or to the rule regarding changes of address applicable to card issuers (16 C.F.R.§681.2).


Frequently asked Questions on the Red Flag Rule.

Responsibilities of Director of ATS
The Director of ATS (as Information Security Officer) is responsible for ensuring that a written identity theft program is in place, and that an annual report is made to a committee of the Board of Trustees, and that staff is trained to implement the program. The Director of ATS is also responsible for oversight of any service-provider arrangements. This would include the outsourcing of tuition payments made in more than one payment.

Federal Rules of Civil Procedure Related to Discovery and Electronically Stored Information
Summary of the Law
Under this Federal Rule of Civil Procedure the university must have a process in place with respect to retention of data when litigation can be reasonably anticipated.

Responsibilities: The Director of ATS is the person responsible in CPIT for coordinating litigation holds with the OGC.

Payment Card Industry Data Security Standard
Summary of the Standard: See above.
CUA is currently at level 4 PCI compliance. The Director of ATS is responsible for monitoring PCI compliance, and for overseeing the process of moving to Level 3 Compliance.

Program Participation Agreements as amended by the Higher Education Opportunity Act

Summary of the law
20 USC 1092 (a)(1)(P) requires IHEs to, on an annual basis, provide all enrolled students with a list of information that is required to be disclosed under the law with information on how to obtain further information.

The Director of Academic Technology Services is responsible for:

  • the annual disclosure that explicitly informs students that unauthorized distribution of copyrighted material, including unauthorized peer-to-peer file sharing, may subject the students to civil and criminal liabilities;
  • a summary of the penalties for violation of Federal copyright laws; and
  • a description of the institution's policies with respect to unauthorized peer-to-peer file sharing, including disciplinary actions that are taken against students who engage in unauthorized distribution of copyrighted materials using the institution's information technology system.

Communications Act of 1934
The Director of ATS should monitor (along with the OGC) developments under this law that might apply to the university.


Under the law, companies may send transactional or relationship emails, commercial email where the recipient has given consent, and certain unsolicited commercial email messages. Commercial email is defined in the law as those emails that have as their primary purpose the promoting or advertising of a commercial product or service. The law specifically prohibits the sending of commercial (including transactional) email that is accompanied by header information that is materially false or misleading or with a deceptive subject heading. The law requires the inclusion of a functioning return electronic mail address (or other Internet based mechanism) on all commercial email that the recipient may use to submit a reply not to receive further email from the sender. Commercial email must include clear and conspicuous identification that the message is an ad, notice of the chance to decline further email, and a valid physical postal address from the sender. Best practices are these:

  • Always provide clear, accurate source and contact information for all email sent by staff members or sent on behalf of the organization, including a valid email and postal address to which replies can be sent, and a subject line that correctly reflects the message's contents.
  • Provide email recipients with a clear method for unsubscribing or opting out of future messages. Develop standard opt-out language for all email messages, such as to type "unsubscribe" in the subject line and hit "Reply," or to click a link to a web site that automatically unsubscribes the recipient.
  • Create clear systems and procedures to honor any stop email request in a timely fashion, preferably within 10 business days. Train staff and volunteers on proper procedures for sending email, and have a designated official regularly review outgoing messages to verify that they meet internal standards.
  • Clearly explain the organization's email policies to any corporate sponsors, partners, or vendors with whom it might be cooperating.
  • Ensure that outside vendors comply with industry standards such as those developed by the Direct Marketing Association or the Association for Interactive Media's Council for Responsible Email. Any vendor or organization sending email on your behalf should provide to you the email address of anyone who has requested to be dropped from your email communications list.

The Director of ATS has the responsibility to ascertain if admission or alumni relations are sending any *commercial* messages, and if so, to ensure the above "best practices" are followed.

Federal Rules of Civil Procedure Related to Discovery and Electronically Stored Information

On April 12, 2006 (and effective Dec. 1, 2006), the below listed Federal Rules of Civil Procedure were amended to clarify the process of retrieving, saving and producing electronically stored information in anticipation of and during litigation. The rules impose an obligation to identify data that is potentially relevant and reasonably accessible, as well as data that may be relevant but not accessible. There is a duty to preserve what a party knows, or reasonably should know, is relevant in the action, is reasonably calculated to lead to the discovery of admissible evidence, is reasonably likely to be requested during discovery, and/or is the subject of a pending discovery request. This duty attaches in anticipation of litigation as well. The Director of ATS receives the litigation holds for electronic information and executes the hold.

Health Insurance Portability and Accountability Act of 1996

The ERISA Health Plan documents designate the Information Security Officer as the person responsible for resolving any issues of non-compliance and for overseeing compliance with HIPAA Security Standards.

Policy Oversight

Information Assurance


Red Flag Action Report Form

Peer to Peer File Sharing: Paper by Susan Hattan for the NACUA Compliance Conference

Educause Connect Page on Peer to Peer File Sharing

Frequently Considered Areas for GLB Data

EDUCAUSE Network and Cybersecurity Initiative Resource Page

UC Boulder HEOA Peer to Peer Compliance Plan

UW Madison Compliance Plan


Policies for which Information Assurance Officer is Responsible Official

Information Assurance Policy
Identity Theft Prevention  

Links checked and updated 07/21/10 TOL