TIES TLC 2012: Aimee Bissonette Privacy, Security, Access and Ownership: Legal Issues in Cloud Computing
In this session, Aimee Bissonette focused on aspects of cloud computing for school districts. Her slides can be found here.
She asked how many districts were using it, and most said they were, and that most were free. Many were Apps for Education districts.
After discussing the attributes of cloud computing, why schools are interested in using it, and how it works, she focused on the implications.
The disadvantage to free services include, "It might not be there tomorrow," Advertising, and "It might not be free anymore!" How much leverage do you have regarding terms of service when something is free?
She pointed out benefits, but also raised concerns regarding privacy, security, data integrity, intellectual property, etc.
The student data that you collect and store involve many laws, FERPA, FCRA, HIPAA, etc.
E-Discovery
It is important to understand how data is stored in the vendor's system, and how you can access it
Free services typically have limited tools available which may make e-discovery cumbersome and time consuming. Google does have a good service for retrieval if you pay.
Doug Johnson noted that there are policies in place for administrators to archive paper communication, why can't they be responsible for storage of electronic communication.
Bissonette noted that the question is how can it be retrieved? She wondered what people would get from doing that. If someone is working for you and they are sued, you are sued too! It doesn't get the employer off the hook!
Is there a legal difference between staff and student accounts regarding archiving? The school is responsible for it's employees, not the student user transmissions regarding archiving.
Service Level Agreement Issues
What is the guaranteed up time?
What is the fine print?
What services do they agree to provide?
When may the contract be terminated? For you or the vendor? If you terminate, what happens to the data?
What about "Automatic Renewal" language?
Accessing Data Quickly
Schools need to specify specific circumstances when the district needs access to data in an emergency. This should be outlined in the contract. What would it be like if you stored the data yourself? Use those as a guideline for how you need it in the cloud.
The death of a student, health or safety emergency of the school or other people are examples.
Warranty and Indemnification
The contract should address the violation of a 3rd party's intellectual property rights as well as if there is an inappropriate disclosure or data breach. Some schools may have state laws restrictions here. If there is monetary compensation, it should be pretty big! ($1,000,000 especially if someone like MSFT and Google!)
Indemnification by the school needs to be clearly specified as well!
Choice of Law/Venue
The school's law and juristiction should be the governing law. The action should be brought in the defendant's juristiction.
Other Issues
Publicity -Can the provider use our logo in publicity? Perhaps as long as permission is asked for first!
Responsibility for unauthorized use.
Negotiating Contracts
She asked how many districts were using it, and most said they were, and that most were free. Many were Apps for Education districts.
After discussing the attributes of cloud computing, why schools are interested in using it, and how it works, she focused on the implications.
The disadvantage to free services include, "It might not be there tomorrow," Advertising, and "It might not be free anymore!" How much leverage do you have regarding terms of service when something is free?
She pointed out benefits, but also raised concerns regarding privacy, security, data integrity, intellectual property, etc.
The student data that you collect and store involve many laws, FERPA, FCRA, HIPAA, etc.
E-Discovery
It is important to understand how data is stored in the vendor's system, and how you can access it
Free services typically have limited tools available which may make e-discovery cumbersome and time consuming. Google does have a good service for retrieval if you pay.
Doug Johnson noted that there are policies in place for administrators to archive paper communication, why can't they be responsible for storage of electronic communication.
Bissonette noted that the question is how can it be retrieved? She wondered what people would get from doing that. If someone is working for you and they are sued, you are sued too! It doesn't get the employer off the hook!
Is there a legal difference between staff and student accounts regarding archiving? The school is responsible for it's employees, not the student user transmissions regarding archiving.
Service Level Agreement Issues
What is the guaranteed up time?
What is the fine print?
What services do they agree to provide?
When may the contract be terminated? For you or the vendor? If you terminate, what happens to the data?
What about "Automatic Renewal" language?
Accessing Data Quickly
Schools need to specify specific circumstances when the district needs access to data in an emergency. This should be outlined in the contract. What would it be like if you stored the data yourself? Use those as a guideline for how you need it in the cloud.
The death of a student, health or safety emergency of the school or other people are examples.
Warranty and Indemnification
The contract should address the violation of a 3rd party's intellectual property rights as well as if there is an inappropriate disclosure or data breach. Some schools may have state laws restrictions here. If there is monetary compensation, it should be pretty big! ($1,000,000 especially if someone like MSFT and Google!)
Indemnification by the school needs to be clearly specified as well!
Choice of Law/Venue
The school's law and juristiction should be the governing law. The action should be brought in the defendant's juristiction.
Other Issues
Publicity -Can the provider use our logo in publicity? Perhaps as long as permission is asked for first!
Responsibility for unauthorized use.
Negotiating Contracts
- Don't sign a provider form as is!
- Retain counsel to assist with contract review
- Consider pooling resources with other schools.
Wisconsin has done a nice job of pooling resources this way.
Contract approaches
- Baseline-Individual schools make decisions based on them individually
- Commercial Sourcing (COMSo) Districts pick specific services to move to the cloud.
- Institutional Sourcing An institution provides IT services to schools for a fee
- Consortium Sourceing-Like TIES
Doug Johnson asked about Google, and the fact that so many districts and institutions are using it, isn't it a fairly safe move? Bissonette said "probably", but when it comes to the smaller companies, or services that are not free, then it would be prudent to take a closer look!
What about ebooks that have a cost? It also comes up on iDevices where Apple wants you to tie it to the staff members own e-mail. State law currently states that you can't charge students for this as a "technology fee" if you choose to use them.
Some districts have assigned a separate e-mail account for each device they manage.
Comments