PRIVACY, SECURITY, ACCESS, AND OWNERSHIP: LEGAL ISSUES IN CLOUD COMPUTING SW/WC 2012 Technology Conference March 8-9, 2012 Attributes of Cloud Computing Allows for outsourcing of IT Delivery of scalable IT resources over the Internet (as opposed to hosting and operating those resources locally) Familiarity: it’s something we all use (think Gmail, Yahoo, FaceBook) Allows schools to purchase IT infrastructure and services on an "as needed" basis, without incurring the capital costs of software or hardware Why is Cloud Computing Attractive to Schools? Schools can obtain new services Cloud services offer flexibility and convenience Cloud services are more affordable Cloud services are updated and upgraded regularly How Does Cloud Computing Work? Schools procure IT services from remote providers and members of the school community access those services over the Internet (users can access the applications and files they need from virtually any Internet connected computer) Software is hosted by the provider and does not need to be installed or maintained on individual computers around the school Storage and processing needs are met by the cloud Advantages Cloud providers specialize in particular applications and services, and this expertise allows them to efficiently manage upgrades and maintenance, backups, disaster recovery, and failures. Providers, like Google Apps for Education, tailor services to schools (e.g. no advertising, FERPA compliant). Schools gain the flexibility of being able to respond quickly to requests for new services by purchasing them from the cloud as add ons (e.g. Google Apps for Education’s “Postini” services). Disadvantages Cloud Computing raises significant concerns about privacy, security, data integrity, intellectual property management, audit trails, and other issues (although some argue that cloud services offer more security than on-campus solutions, given the complexity of mounting an effective IT security effort at the school level). Although the benefits of Cloud Computing are becoming more tangible, significant policy and technology issues must still be sorted out. CLOUD COMPUTING Legal and Policy Considerations Information Privacy and Security Regulation: FERPA; COPPA; FCRA; HIPAA; GrammLeach-Bliley Act of 1999; and Payment Card Industry Data Security Standards Identity Theft User Privacy (and data mining) Ownership of Data Google Apps for Education: FERPA FERPA. The parties acknowledge that (a) Customer Data may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”); and (b) to the extent that Customer Data includes FERPA Records, Google will be considered a “School Official” (as that term is used in FERPA and its implementing regulations) and will comply with FERPA. Google Apps for Education: COPPA Customer acknowledges and agrees that it is solely responsible for compliance with the Children's Online Privacy Protection Act of 1998, including, but not limited to, obtaining parental consent concerning collection of students' personal information used in connection with the provisioning and use of the Services by the Customer and End Users. Google Apps for Education: Confidential Information Obligations. Each party will: (a) protect the other party’s Confidential Information with the same standard of care, but no less than a reasonable standard of care, it uses to protect its own Confidential Information; and (b) subject to applicable law, not disclose the Confidential Information, except to Affiliates, employees and agents who have a reasonable need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates, employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates, employees and agents in violation of this Section. Google Apps for Education: Intellectual Property Rights Intellectual Property Rights. Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Google owns all Intellectual Property Rights in the Services. E-Discovery It is important to understand the framework of the vendor’s system, how and in what format it keeps your data, and what tools are available to you to access your data. "Free" services typically will have few such tools available, which likely will make e-discovery a timeconsuming and cumbersome task. IP Infringement Cloud service providers should be willing to warrant that they actually own the technologies and business processes they use and indemnify the school against any potential intellectual property infringement claim that may arise as a result of its technologies or business processes. Google Apps for Education: Indemnification By Google. Google will indemnify, defend, and hold harmless Customer from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim that Google’s technology used to provide the Services or any Google Brand Feature infringe or misappropriate any patent, copyright, trade secret or trademark of such third party. Notwithstanding the foregoing, in no event shall Google have any obligations or liability under this Section arising from: (i) use of the Services or Google Brand Features in a modified form or in combination with materials not furnished by Google, and (ii) any content, information or data provided by Customer, End Users or other third parties. Google Apps for Education: Possible Infringement Possible Infringement. (a) Repair, Replace, or Modify. If Google reasonably believes the Services infringe a third party’s Intellectual Property Rights, then Google will: (a) obtain the right for Customer, at Google’s expense, to continue using the Services; (b) provide a noninfringing functionally equivalent replacement; or (c) modify the Services so that they no longer infringe. (b) Suspension or Termination. If Google does not believe the foregoing options are commercially reasonable, then Google may suspend or terminate Customer’s use of the Services with a minimum of six months written notice to Customer, unless prohibited by a court of competent jurisdiction. Terms of Use Schools should attempt to require cloud service providers to provide direct, individual notice sufficiently in advance of the effective date of any amendments to the provider’s terms of use, along with the right to terminate if such amendments are unacceptable to the school. Suggested language: “Provider may make commercially reasonable modifications to the Service, provided it does not materially diminish the nature, scope, or quality of the Service." Google Apps for Education: Modifications to the Services To the Services. Google may make commercially reasonable changes to the Services from time to time. If Google makes a material change to the Services, Google will inform Customer, provided that Customer has subscribed with Google to be informed about such material change. Google Apps for Education: Modifications to URL Terms To URL Terms. Google may make commercially reasonable changes to the URL Terms from time to time. If Google makes a material change to the URL Terms, Google will inform Customer by either sending an email to the Notification Email Address or alerting Customer via the Admin Console. If the change has a material adverse impact on Customer and Customer does not agree to the change, Customer must so notify Google via the Help Center within thirty days after receiving notice of the change. If Customer notifies Google as required, then Customer will remain governed by the terms in effect immediately prior to the change until the end of the then current Term. If the Services are renewed, they will be renewed under Google's then current URL Terms. Export Controls This is largely an issue for higher education institutions involved in research Some provider form contracts expressly reserve the right to store customer data in any country in which the provider does business, which can raise export control issues. Schools housing research data should be mindful of this and include language in their contracts prohibiting “extraterritorial” storage. Google Apps for Education: Facilities and Data Transfer As part of providing the Services, Google may transfer, store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data. Service Level Agreement issues Amount of guaranteed “uptime” Process and timeline for dealing with “downtime” Notice provisions (e.g. amount of notice due before suspension of service) Provision regarding availability of school data posttermination and provider’s obligation to destroy copies of data once termination and transition to a new service is complete Circumstances under which the provider may suspend an individual end user’s account Consequences for failure to meet these requirements Google Apps for Education: Contract references separate agreement “SLA” means the Services Level Agreement located here: http://www.google.com/a/help/intl/en/admins/sla .html, or other such URL as Google may provide. Google Apps for Education: End User Accounts End User Accounts. Customer may request End User Accounts by: (i) requesting them online via the Admin Console; or (ii) after the Services Commencement Date, contacting Google support personnel. Customer can suspend or delete End User Accounts at any point in time through the Admin Console. Google Apps for Education: Suspension of End User Accounts by Google Of End User Accounts by Google. If Google becomes aware of an End User’s violation of the Agreement, then Google may specifically request that Customer Suspend the applicable End User Account. If Customer fails to comply with Google’s request to Suspend an End User Account, then Google may do so. The duration of any Suspension by Google will be until the applicable End User has cured the breach, which caused the Suspension. Google Apps for Education: Emergency Security Issues Emergency Security Issues. Notwithstanding the foregoing, if there is an Emergency Security Issue, then Google may automatically Suspend the offending use. Suspension will be to the minimum extent and of the minimum duration required to prevent or terminate the Emergency Security Issue. If Google Suspends an End User Account for any reason without prior notice to Customer, at Customer’s request, Google will provide Customer the reason for the Suspension as soon as is reasonably possible. Suspension/Termination of Contract Be explicit about the reasons either party may suspend or terminate the contract Specify what happens to the data post-termination Scrutinize “automatic renewal” clauses (particularly with regard to fee increases) Google Apps for Education: Term; Auto Renewal Auto Renewal. At the end of the Initial Term and each renewal term, the Services will automatically renew for an additional term of twelve months. If either party does not want the Services to renew, then it must notify the other party in writing at least 90 days prior to the end of the then current term. This notice of non-renewal will be effective upon the conclusion of the then-current term. Google Apps for Education: Termination for Breach Termination for Breach. Either party may suspend performance or terminate this Agreement if: (i) the other party is in material breach of the Agreement and fails to cure that breach within thirty days after receipt of written notice; (ii) the other party ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within ninety days; or (iii) the other party is in material breach of this Agreement more than two times notwithstanding any cure of such breaches. Google Apps for Education: Other Termination Other Termination. Customer may terminate this Agreement for any reason (or no reason) with thirty days prior written notice to Google. Google Apps for Education: Effects of Termination Effects of Termination. If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) Google will provide Customer access to and the ability to export the Customer Data for a commercially reasonable period of time at Google's then-current rates for the applicable Services; provided that if Customer needs Google to provide access and the ability to export Customer Data for a minimum period of time (such time period not to exceed 90 days), then prior to termination, Customer must notify Google of that request; (iii) after a commercially reasonable period of time, Google will delete Customer Data by removing pointers to it on Google’s active and replication servers and overwriting it over time; and (iv) upon request each party will promptly use commercially reasonable efforts to return or destroy all other Confidential Information of the other party. Google Apps for Education: Term; No Fees No Fees. During the Initial Term, Google will not charge Customer fees for the Services. If Google decides to charge a fee for the Services after the Initial Term it must notify Customer of such fee in writing at least 12 months prior to the end of the then current Term. Upon the parties’ mutual written agreement, (a) Google may charge Customer fees for the Services after the Initial Term and (b) Google may charge Customer fees for a premium version of the Services or for optional functionality or enhancements that may be added to the Services by Google. Accessing Data – Extraordinary Circumstances Schools should outline specific circumstances in which they may need to access user information from the provider (e.g. in cases of concern for the health or safety of a student, to check on a student’s use of email services and possibly even the content of his or her e-mail messages.) Schools should review its existing practices in this area (death of student, health or safety emergency of the individual, health or safety emergency of the institution or other people) and ensure the contract with the provider provides access. Google Apps for Education: Customer Administration of the Services Customer Administration of the Services. Customer may specify one or more Administrators through the Admin Console who will have the rights to access Admin Account(s) and to administer the End User Accounts. Customer is responsible for: (a) maintaining the confidentiality of the password and Admin Account(s); (b) designating those individuals who are authorized to access the Admin Account(s); and (c) ensuring that all activities that occur in connection with the Admin Account(s) comply with the Agreement. Customer agrees that Google’s responsibilities do not extend to the internal management or administration of the Services for Customer and that Google is merely a data-processor. Warranty and Indemnification With regard to warranties, at a minimum, the contract should: Warrant that the service conforms to and will perform in accordance with its specifications Warrant that the service does not infringe any third-party intellectual property rights Warranty and Indemnification With regard to indemnification, the contract should address: rd Indemnification by provider for infringement of 3 party intellectual property rights AND inappropriate disclosure or data breach (ideally, the provider would indemnify for all acts and omissions) Indemnification by the school should be limited in the case of misconduct by end users. (Note, some schools may have state law restrictions on their ability to indemnify providers) Choice of Law/Venue Because some schools may have state law restrictions on their ability to consent to these clauses, the following approach is encouraged: Choose the school’s law and jurisdiction as the governing law; Provide that actions must be brought in the defendant’s jurisdiction; or Simply delete the Choice of Law clause entirely. Additional Issues Publicity (i.e. use of the school’s name, logo, or trademark) Responsibility for unauthorized or inappropriate use (it is preferable to state only that the school will not “authorize” or “knowingly allow” inappropriate use of the provider’s service) Negotiating Contracts Don’t sign a provider’s form “as is” Retain counsel to assist with contract review Consider “pooling resources” with other schools (See, e.g. Wisconsin Department of Public Instruction’s approach, including negotiated contract and consent forms) Possible Contract Approaches Baseline: Individual schools provide the services best suited to the edge/leverage culture of their schools. Commercial Sourcing (COMSo): Schools identify and shift particular services to a commercial service provider via contract (student mail is a leading example of this as is iTunesU). Institutional Sourcing (INSo): An institution (e.g. state college or university) provides IT services to schools via contract and fee. Consortium Sourcing (CONSo): Schools aggregate demand, define service levels, and governance for a service then source the provisioning of that service to (a) commercial providers and/or (b) institutional providers. Conclusion Thank you! Little Buffalo Law & Consulting