IT Laws and Regulations - Compliance Reference for Faculty, Staff, and Contractors

IT Laws & Regulations

Quick Overview
  • Summarizes federal and state laws that govern how SFA uses and manages technology
  • Applies to all faculty, staff, students, contractors, and SFA Police Department personnel
  • Covers data privacy, payment security, copyright, criminal justice information, and Texas-specific cybersecurity requirements
  • Click any section header below to expand or collapse it

A range of federal and state laws shape how Stephen F. Austin State University uses and manages technology. This article summarizes key compliance frameworks — from student data protection to criminal justice information security — that affect university systems, research, and daily operations.

FERPA  Federal  Protecting Student Education Records

What Is FERPA?

The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that gives students rights regarding their education records and restricts who may access or disclose that information. At SFA, the Registrar's Office is the authoritative resource on FERPA compliance.

What Are Education Records?

Education records include any record maintained by SFA (or someone acting on its behalf) that is directly related to a student and from which a student can be personally identified — regardless of format (paper, digital, email, video, etc.). Common examples include grades, transcripts, enrollment status, financial aid records, and disciplinary files.

Directory Information

Certain information may be released without student consent and is designated as directory information (e.g., name, email address, enrollment status, degree program). Currently enrolled students may restrict the release of their directory information by contacting the Registrar. That restriction remains in effect until the student removes it.

What Does This Mean for Me?

Education records are sensitive data. All SFA employees with access to student records must:

  • Encrypt. Devices storing student records must have disk encryption enabled.
  • Avoid email. Email alone is not a secure method for transmitting FERPA-protected data. Use approved secure file transfer tools instead.
  • Use approved systems only. Grade and enrollment data should only be accessed through official SFA platforms (Banner, MySFA, Canvas, etc.).
  • Need-to-know only. Access student records only when there is a legitimate educational purpose.
! Important: Sharing student records with unauthorized parties — including parents of adult students — without written consent or a valid FERPA exception is a federal violation. When in doubt, contact the Registrar's Office before releasing any student information.

Questions & Reporting

For FERPA guidance or to report a potential violation, contact the SFA Registrar's Office. For questions about securing systems or devices that handle FERPA data, contact the Office of Information Security at itsecurity@sfasu.edu.

External Reference studentprivacy.ed.gov — U.S. Department of Education FERPA resources
HIPAA  Federal  Protecting Personal Health Information

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects sensitive health information, known as Protected Health Information (PHI), from being disclosed without a patient's consent or knowledge, while still permitting necessary information flow for quality healthcare delivery.

HIPAA vs. FERPA at SFA

Student health records maintained by SFA's Student Health Services or Counseling Center are typically considered education records or treatment records under FERPA — meaning HIPAA's Privacy Rule generally does not apply to those records. However, HIPAA may still apply when SFA units operate as healthcare providers or when data is received under a research grant or Business Associate Agreement (BAA).

When Does HIPAA Apply at SFA?

SFA may function as a hybrid entity under HIPAA, meaning only specific units that perform healthcare functions are required to comply. HIPAA obligations also arise when:

  • A department receives patient data from another institution or federal agency under a grant or data use agreement containing a BAA.
  • A unit stores or transmits electronic protected health information (ePHI) on behalf of a covered function.

Contact the Office of Information Security if you are unsure whether your data or systems are subject to HIPAA.

Key HIPAA Requirements

  • Privacy Rule: Governs permissible uses and disclosures of PHI and establishes patient rights.
  • Security Rule: Requires technical, physical, and administrative safeguards for electronic PHI (ePHI).
  • Breach Notification Rule: Requires timely notification to affected individuals and HHS if unsecured PHI is compromised.
ℹ Tip: Even when data is covered by FERPA rather than HIPAA, the same security controls apply. Knowing which law governs matters most during a breach — it changes SFA's specific notification and reporting obligations.

Questions

For questions about HIPAA applicability or compliance, contact the Office of Information Security at itsecurity@sfasu.edu.

External Reference hhs.gov/hipaa — HHS HIPAA for Professionals
PCI DSS  Industry Standard  Securing Payment Card Data

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard established by the major card brands (Visa, Mastercard, American Express, Discover). It defines technical and operational requirements for any organization that accepts, processes, stores, or transmits cardholder data. Compliance is a contractual requirement for accepting card payments — not just a best practice.

Who Does This Apply To?

Any SFA department, organization, or third-party vendor that handles payment card transactions on behalf of the university must comply with PCI DSS. This includes departments that accept payment for tuition, fees, event tickets, dining, bookstore purchases, or any other university service.

Compliance Responsibilities

  • Use only university-approved payment systems, hardware, and software for card transactions.
  • Never store full card numbers, CVV codes, or magnetic stripe data on any system.
  • Complete required annual training on secure card handling procedures.
  • Cooperate with the Office of Information Security for network design reviews, security scans, and assessments of PCI-scoped environments.
  • Promptly remediate any vulnerabilities identified through vulnerability scans or assessments.
! Important: Departments must not implement new payment card acceptance processes or select payment vendors without coordinating with the Office of Information Security and Treasury and Student Business Services first. Unauthorized payment systems that fall outside the PCI scope can expose SFA to fines and loss of card acceptance privileges.

Questions

Contact the Office of Information Security at itsecurity@sfasu.edu for guidance on PCI compliance, approved payment solutions, or network architecture reviews.

External Reference pcisecuritystandards.org — PCI SSC Official Standards
DMCA  Federal  Copyright in the Digital Age

What Is the DMCA?

The Digital Millennium Copyright Act of 1998 (DMCA) is a federal law that governs rights related to digital copyrighted works. It provides copyright owners with legal tools to protect their materials online and establishes formal processes for reporting infringement to internet service providers — a category that includes universities like SFA.

File Sharing and Copyright Infringement

Distributing copyrighted files (music, movies, software, games, books) through peer-to-peer (P2P) networks or other means without permission from the copyright holder is a violation of the DMCA and federal copyright law. The consequences can be severe:

  • Civil penalties: $750–$30,000 per infringed work; up to $150,000 per work for willful infringement.
  • Criminal penalties: Up to five years imprisonment and $250,000 in fines per offense for willful infringement for commercial gain.
  • University sanctions: Violations of SFA's Acceptable Use Policy can result in loss of network access and other disciplinary action.

The DMCA Notice Process

When SFA receives a valid DMCA takedown notice from a copyright holder, the university is legally obligated to act promptly to disable access to the allegedly infringing material. The reported user will be notified and required to remove the content. Repeated violations can result in permanent suspension of network access.

ℹ Tip: Legal, low-cost alternatives to unauthorized file sharing include Spotify, Apple Music, Kanopy (free through SFA Libraries), and the SFA Library's digital collections.

Reporting Copyright Infringement

Copyright holders who need to report alleged infringement involving SFA's network should send a formal DMCA notice to SFA's designated agent. Contact information is available through the Office of Information Security or the SFA General Counsel's Office.

External Reference copyright.gov/dmca — U.S. Copyright Office DMCA overview
CJIS Security Policy  Federal / State  Protecting Criminal Justice Information

What Is the CJIS Security Policy?

The Criminal Justice Information Services (CJIS) Security Policy is issued by the FBI and establishes the minimum security requirements for any agency or entity that accesses Criminal Justice Information (CJI). CJI includes data from systems such as the National Crime Information Center (NCIC) and, in Texas, the Texas Crime Information Center (TCIC) administered by the Department of Public Safety (DPS). The CJIS Security Policy is among the most prescriptive IT security frameworks applicable to higher education, specifying controls at a level of detail not found in most other compliance regimes.

Who Does This Apply To at SFA?

CJIS requirements apply directly to SFA Police Department personnel and systems. However, the policy's reach extends beyond the PD itself — it applies to anyone who has unescorted physical or logical access to systems, infrastructure, or data that touch CJI. At SFA this can include:

  • IT staff who manage, administer, or maintain networks, servers, endpoints, or storage used by SFA PD.
  • Vendors or contractors with physical or remote access to CJIS-connected systems.
  • Any personnel who handle devices or media containing CJI.

The Office of Information Security supports CJIS compliance for the technical controls in scope. Day-to-day CJIS compliance ownership and the CJIS Systems Agency (CSA) coordination role reside with SFA Police Department.

Key Requirements

  • Multi-Factor Authentication (MFA): Required for all personnel accessing CJI, including remote access scenarios. CJIS specifies acceptable authentication factors and prohibits certain methods.
  • Encryption: CJI must be encrypted in transit and at rest using FIPS 140-2 validated cryptography. This applies to devices, media, and any communication channel carrying CJI.
  • Personnel Screening: All personnel with access to CJI — including IT staff — must undergo a fingerprint-based criminal history background check. This applies to contractors and vendors as well.
  • Audit Logging: All access to CJI systems must be logged, retained, and reviewed. The policy specifies minimum log content and retention periods.
  • Incident Response: CJIS imposes specific reporting timelines for security incidents involving CJI — typically within 24 hours to the CSA and ultimately to DPS and the FBI CJIS Division.
  • Media Protection and Sanitization: Devices and media containing CJI must be sanitized or destroyed in accordance with NIST SP 800-88 before disposal or reuse.
  • Security Awareness Training: All authorized personnel must complete CJIS-specific security awareness training within six months of initial access and every two years thereafter.
  • Mobile Device Management: Mobile devices used to access CJI must meet specific configuration and security requirements including screen lock, remote wipe capability, and encryption.

Texas-Specific Layer: DPS and TLETS

In Texas, CJIS compliance is overseen by the Texas DPS, which administers access to CJI through the Texas Law Enforcement Telecommunications System (TLETS). DPS conducts periodic compliance audits of agencies with TLETS access, which can include review of the technical infrastructure operated by SFA IT. Findings from DPS audits that involve IT controls are coordinated through the Office of Information Security.

! Important: Any IT change — including network modifications, new systems, cloud services, or vendor access — that could affect infrastructure used by SFA PD must be reviewed by the Office of Information Security before implementation to ensure CJIS compliance is maintained. Unauthorized changes to CJIS-adjacent infrastructure can result in suspension of SFA PD's access to state and national criminal justice databases.
ℹ Tip: If you are an IT staff member asked to perform work on systems used by SFA PD — even routine tasks like patching or cable work — confirm with your supervisor and the Office of Information Security whether a CJIS background check is required before you begin.

Questions

For questions about CJIS technical controls or IT infrastructure requirements, contact the Office of Information Security at itsecurity@sfasu.edu. For questions about personnel screening, training requirements, or CSA coordination, contact SFA Police Department.

External References FBI CJIS Security Policy — Current version (FBI Law Enforcement Enterprise Portal)
Texas DPS Crime Records Service — TLETS and state CJIS oversight
Texas Administrative Code  State  State Security, Accessibility & AI Standards

What Is the Texas Administrative Code?

The Texas Administrative Code (TAC) is the official compilation of all state agency rules in Texas. Several chapters within TAC directly govern information technology, cybersecurity, and accessibility at public universities like SFA. The key chapters are TAC 202 (information security), TAC 206 & 213 (accessibility), and TAC 219 (artificial intelligence), all administered by the Texas Department of Information Resources (DIR).

TAC 202 — Information Security Standards

TAC 202 establishes the minimum information security standards all Texas state agencies and public universities must follow. It assigns ultimate responsibility for information security to the university president. Key requirements include:

  • Designated Information Security Officer (ISO): SFA must designate an ISO — fulfilled by the Chief Information Security Officer (CISO) — with explicit authority to administer the university's information security program.
  • Annual Risk Assessments: Units with ownership or custodial responsibility for information resources must conduct and document risk assessments at least annually using DIR-approved methodology.
  • Security Controls Catalog: SFA must implement the security controls catalog published by DIR. All controls are mandatory unless a documented exception is approved.
  • Comprehensive Security Program: SFA must develop, implement, maintain, and periodically review a written information security program covering all TAC 202 requirements.

TAC 206 & 213 — Electronic & Information Resources Accessibility

TAC 206 and 213 require that all electronic and information resources (EIR) purchased, developed, or used by state agencies and public universities be accessible to people with disabilities, consistent with WCAG 2.1 AA standards.

  • All new technology procurements must include an accessibility review (VPAT/ACR evaluation).
  • Departments that deploy web content or applications are responsible for meeting WCAG 2.1 AA conformance.
  • Exceptions require documented justification and an equally effective alternate access plan.

TAC 219 — Artificial Intelligence

TAC 219 establishes requirements for how Texas state agencies and public universities must govern the use of artificial intelligence tools and systems. Key requirements for SFA include:

  • AI Use Policy: SFA must maintain a written policy governing the acceptable use of AI tools, including both internally developed systems and third-party AI services used for university business.
  • Risk Assessment for AI Tools: AI-enabled products and services must be evaluated for security, privacy, and bias risks before procurement or deployment, incorporated into SFA's Electronic Accessibility & Security Review process.
  • Data Handling Restrictions: Confidential university data — including student records, employee PII, and financial information — may not be submitted to AI tools without an appropriate data processing agreement and security authorization.
  • Transparency and Accountability: Departments using AI in decision-making processes that affect individuals must document those uses and ensure appropriate human oversight.
! Important: Using a general-purpose AI tool (such as a free or consumer-tier AI chatbot) to process content involving student records, employee data, or other sensitive university information is prohibited without prior review and approval. Contact the Office of Information Security before using any AI tool for university work.
ℹ Tip: Before purchasing or renewing any software or digital service — including AI-enabled tools — submit a request through the Electronic Accessibility & Security Review process at help.sfasu.edu. This ensures TAC 202, TAC 206/213, and TAC 219 requirements are all evaluated before a contract is signed.

Questions

For TAC 202 (security) or TAC 219 (AI) questions, contact the Office of Information Security at itsecurity@sfasu.edu. For TAC 206/213 (accessibility) questions, contact the SFA Web Accessibility team or submit a ticket through the IT Help Desk.

Texas Prohibited Technologies  State  Restricted Apps & Devices on State Networks

Background and Legal Authority

Texas law prohibits certain technologies on state-owned devices and networks, and restricts their use on personal devices when conducting state business. The current framework is based on:

  • Governor's Directive (December 2022): Required all state agencies to ban TikTok and similar applications on state-owned devices due to national security concerns.
  • Texas Government Code Chapter 620 (Senate Bill 1893, 2023): Codified the prohibition of covered applications on governmental entity devices.
  • UT System Policy: As a member of the University of Texas System, SFA must implement administrative, operational, and technical controls to comply with all applicable prohibited technology directives.

What Technologies Are Prohibited?

There are two categories of restrictions maintained by DIR:

  • Covered Applications: Social media and communication applications (e.g., TikTok) that are completely banned from institution-owned devices — with no exceptions.
  • Prohibited Technologies: A broader list of hardware and software products (including subsidiaries and affiliates) that are restricted on both institution-owned and personal devices used for state business.

Impact on SFA Operations

  • University-owned devices may not have prohibited technologies installed.
  • Personal devices used for state business (e.g., checking SFA email, accessing Banner or Workday) may not have prohibited technologies installed.
  • University networks may block access to prohibited technologies or restrict devices that have them installed from connecting.
  • Purchasing decisions must account for the prohibited technology lists before acquiring new hardware or software.
! Important: Using your personal phone for Duo MFA push notifications is not considered conducting state business. However, accessing SFA email, Banner, Workday, or other university applications from a personal device is considered state business — prohibited technologies must not be installed on that device.

Exceptions

Limited exceptions may be available for some prohibited technologies when there is a documented business or research justification. No exceptions are permitted for covered applications (e.g., TikTok). Exception requests should be submitted to the Office of Information Security for review.

Questions

Contact the Office of Information Security at itsecurity@sfasu.edu to report prohibited technology use, request an exception, or ask about specific technologies.

TX-RAMP  State  Cloud Security Authorization for Texas

What Is TX-RAMP?

The Texas Risk and Authorization Management Program (TX-RAMP) is a state program administered by DIR that establishes a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services used by Texas state agencies and public universities. It was created under Texas Government Code § 2054.0593 and ensures that cloud vendors handling state data meet baseline security requirements before and during their engagement with the state.

Why Does TX-RAMP Matter for SFA?

Before SFA can contract for or renew a cloud service that processes, stores, or transmits confidential state data (which includes student records, employee PII, financial data, and health information), the vendor must hold an active TX-RAMP authorization. This applies to all cloud services, including SaaS applications, regardless of whether they are purchased centrally or by individual departments.

TX-RAMP Authorization Levels

  • Level 1: For cloud services handling low-sensitivity data. Vendors self-attest to baseline security controls.
  • Level 2: For services handling confidential data. Requires third-party assessment and evidence review by DIR.

What This Means for Procurement

  • Before purchasing or renewing any cloud-based tool, check whether the vendor holds a current TX-RAMP authorization at dir.texas.gov/tx-ramp.
  • Submit all new cloud service requests through the Electronic Accessibility & Security Review process at help.sfasu.edu so the Office of Information Security can verify TX-RAMP status.
  • Contracts with cloud vendors should require TX-RAMP authorization and vendors must maintain that authorization for the duration of the agreement.
ℹ Tip: TX-RAMP status can change. A vendor authorized today may lose authorization if they fail a reassessment. The Office of Information Security monitors the DIR registry and will flag lapses identified during contract renewals.

Questions

Contact the Office of Information Security at itsecurity@sfasu.edu for questions about TX-RAMP authorization, vendor reviews, or procurement security requirements.

External Reference dir.texas.gov/tx-ramp — Authorized Cloud Services Registry

Need Help?

Contact the IT Help Desk at (936) 468-4357 (HELP) or submit a ticket at help.sfasu.edu. For information security questions, email itsecurity@sfasu.edu.
Print Article