In recent years, higher education has become increasingly invested in cloud computing. While cloud computing may offer significant cost savings, it also facilitates data sharing and accessibility and meets the on-demand data expectations of today’s faculty and students. There is a tradeoff, however, for higher education institutions that are tasked with complying with numerous federal and state laws that impact the use and retention of electronically stored information per such regulations as FERPA, HIPAA, FOIA, and PCI, as well as export control laws and electronic discovery obligations. In an era where news of cybersecurity lapses and data breaches has become commonplace, these legal requirements make reliance on third-party cloud computing service providers worthy of concern. Those in higher education should consider revisiting their cloud computing contracts to ensure they have adequate safeguards in place in the event vendor data systems are breached.
Professionals in higher education may be well-informed of the legal requirements with which their institutions must comply, but are their vendors? What happens when vendor data systems containing sensitive information are breached? These questions and related issues should be addressed in vendor contracts. For instance, the following questions may warrant further consideration when revisiting those contracts:
- Data ownership
- Who owns the data?
- What restrictions are placed on the vendor’s use of the stored data?
- Security and privacy
- What standard is the vendor bound to comply with in maintaining the security of institutional data?
- Does that standard differ for proprietary, personal, or regulated data?
- Is the data encrypted and, if so, during storage, transmission, or both?
- What safeguards does the vendor utilize to restrict access to data?
- Is the vendor obligated to perform routine audits of its standards and security measures?
- What notification is the vendor required to provide if a data breach occurs, and to whom and by when is such notification required?
- Does the vendor account for state privacy laws applicable to student personal information (e.g., Massachusetts 201 CMR 17.00 et seq.)?
- Location of data storage
- Where is the vendor organized as a commercial entity and where will the data be stored?
- What representations does the vendor make concerning compliance with applicable foreign law, available support and bandwidth, downtime, and timeliness of operations as they relate to the maintenance and accessibility of data stored in foreign jurisdictions?
- Is research data stored with the vendor and, if so, out of concern for expert control implications and potential contractual obligations, does the vendor contract prohibit the storage of such data outside of the U.S.?
- Is the stored data accessible by faculty, staff, or students located outside of the U.S. and what restrictions are placed on such access when sought from a foreign jurisdiction?
- Is the vendor required to provide the necessary support, tools, and information to enable and facilitate the institution’s accessibility and examination of stored data for e-discovery purposes?
- Does the vendor agree to, and have the capabilities to, implement a litigation hold issued by the institution concerning stored data?
- Can the vendor undertake completing a forensically sound copy of stored data without disrupting cloud operational or production services?
- Is the vendor obligated to indemnify the institution for third-party intellectual property infringement allegations (concerning the vendor’s technologies or practices) and data breaches or inadvertent data disclosures?
Certain measures, including those considered above, as well as a customized privacy and cyber insurance policy, can help to protect against institutional exposure that may result from a data breach. If, after taking another look at your vendor contract, you find that provisions critical to your institution’s protection are missing, then you might review the contract’s amendment and/or termination provisions to permit you to pursue the necessary safeguards.