The state of Maryland has recently passed a new law aimed at enhancing data privacy and cybersecurity measures at higher education institutions. This law mandates universities to take steps to ensure the proper collection, storage, and protection of sensitive data. While similar laws are already in place in 40 other states, they primarily focus on K-12 education. It is expected that these regulations will soon extend to colleges and universities as well.
Outlined below are some of the key data privacy and cybersecurity requirements set forth by Maryland’s new law. All universities looking to strengthen their security posture and prepare for upcoming regulations should consider implementing these practices.
Privacy Governance and Risk Management Programs
Under the new Maryland law, universities are required to establish a privacy governance and risk management program. This program aims to ensure compliance with data privacy regulations, protect sensitive information through data encryption, and effectively manage security risks. It also includes procedures to address various security threats and enables staff to respond promptly in case of an attack.
Furthermore, the law mandates that a third-party with information security expertise should periodically review the university’s privacy governance and risk management program. While not yet required at the federal level, this practice is highly recommended to stay up-to-date with evolving privacy regulations and best practices.
Posting Privacy Notices and Ensuring Data Autonomy
Universities in Maryland must now display clear privacy notices on their website homepages, a practice already enforced in several other states. These notices enhance transparency and enable students and families to understand their rights and provide consent.
Moreover, the law emphasizes the importance of being transparent about information-sharing practices to protect sensitive data such as bank information, addresses, and health records. Students are also granted the right to amend their data and control the disclosure of certain personally identifiable information under FERPA.
Additionally, the Maryland statute goes beyond GLBA and FERPA requirements by establishing a process for individuals to access their own Personally Identifiable Information (PII) and request corrections or deletions. Institutions are also mandated to only collect necessary PII and must provide remedies for individuals affected by data breaches.
Be Diligent When Integrating Third-Party Tools
Maryland universities are now required to include privacy governance policy language in contracts with third-party vendors to ensure compliance. This helps establish clear guidelines for handling sensitive data and requires vendors to employ “reasonable” security controls. It is crucial to hold third-party vendors to the same cybersecurity standards as the institution to enhance data protection.
Following these regulations not only helps safeguard sensitive data but also aids in managing the extensive data sets that universities handle on a regular basis. By aligning with these practices, universities can better prepare for potential cyber threats and upcoming regulations.
KEEP LEARNING: Discover the best data governance strategies for artificial intelligence success.
An Example to Follow
While Maryland universities are required to adhere to these new rules, institutions nationwide should consider implementing similar programs to mitigate cyber risks and comply with future regulations. Whether these regulations stem from state or federal legislation, it is essential for universities to prioritize data privacy and cybersecurity measures.
