Privacy, Security, Access, and Ownership: Legal Issues in Cloud

advertisement
PRIVACY, SECURITY, ACCESS, AND
OWNERSHIP: LEGAL ISSUES IN
CLOUD COMPUTING
SW/WC 2012 Technology Conference
March 8-9, 2012
Attributes of Cloud Computing




Allows for outsourcing of IT
Delivery of scalable IT resources over the Internet
(as opposed to hosting and operating those
resources locally)
Familiarity: it’s something we all use (think Gmail,
Yahoo, FaceBook)
Allows schools to purchase IT infrastructure and
services on an "as needed" basis, without incurring
the capital costs of software or hardware
Why is Cloud Computing Attractive to
Schools?




Schools can obtain new services
Cloud services offer flexibility and convenience
Cloud services are more affordable
Cloud services are updated and upgraded
regularly
How Does Cloud Computing Work?



Schools procure IT services from remote providers
and members of the school community access those
services over the Internet (users can access the
applications and files they need from virtually any
Internet connected computer)
Software is hosted by the provider and does not
need to be installed or maintained on individual
computers around the school
Storage and processing needs are met by the cloud
Advantages



Cloud providers specialize in particular applications
and services, and this expertise allows them to
efficiently manage upgrades and maintenance,
backups, disaster recovery, and failures.
Providers, like Google Apps for Education, tailor
services to schools (e.g. no advertising, FERPA
compliant).
Schools gain the flexibility of being able to respond
quickly to requests for new services by purchasing them
from the cloud as add ons (e.g. Google Apps for
Education’s “Postini” services).
Disadvantages


Cloud Computing raises significant concerns about
privacy, security, data integrity, intellectual
property management, audit trails, and other issues
(although some argue that cloud services offer more
security than on-campus solutions, given the
complexity of mounting an effective IT security
effort at the school level).
Although the benefits of Cloud Computing are
becoming more tangible, significant policy and
technology issues must still be sorted out.
CLOUD COMPUTING
Legal and Policy Considerations
Information Privacy and Security




Regulation: FERPA; COPPA; FCRA; HIPAA; GrammLeach-Bliley Act of 1999; and Payment Card
Industry Data Security Standards
Identity Theft
User Privacy (and data mining)
Ownership of Data
Google Apps for Education: FERPA
FERPA. The parties acknowledge that (a) Customer
Data may include personally identifiable
information from education records that are subject
to FERPA (“FERPA Records”); and (b) to the extent
that Customer Data includes FERPA Records, Google
will be considered a “School Official” (as that term
is used in FERPA and its implementing regulations)
and will comply with FERPA.
Google Apps for Education: COPPA
Customer acknowledges and agrees that it is solely
responsible for compliance with the Children's
Online Privacy Protection Act of 1998, including,
but not limited to, obtaining parental consent
concerning collection of students' personal
information used in connection with the provisioning
and use of the Services by the Customer and End
Users.
Google Apps for Education:
Confidential Information
Obligations. Each party will: (a) protect the other party’s
Confidential Information with the same standard of care, but
no less than a reasonable standard of care, it uses to
protect its own Confidential Information; and (b) subject to
applicable law, not disclose the Confidential Information,
except to Affiliates, employees and agents who have a
reasonable need to know it and who have agreed in writing
to keep it confidential. Each party (and any Affiliates,
employees and agents to whom it has disclosed Confidential
Information) may use Confidential Information only to
exercise rights and fulfill its obligations under this
Agreement, while using reasonable care to protect it. Each
party is responsible for any actions of its Affiliates,
employees and agents in violation of this Section.
Google Apps for Education:
Intellectual Property Rights
Intellectual Property Rights. Except as expressly set
forth herein, this Agreement does not grant either
party any rights, implied or otherwise, to the other’s
content or any of the other’s intellectual property.
As between the parties, Customer owns all
Intellectual Property Rights in Customer Data, and
Google owns all Intellectual Property Rights in the
Services.
E-Discovery


It is important to understand the framework of the
vendor’s system, how and in what format it keeps
your data, and what tools are available to you to
access your data.
"Free" services typically will have few such tools
available, which likely will make e-discovery a timeconsuming and cumbersome task.
IP Infringement

Cloud service providers should be willing to warrant
that they actually own the technologies and business
processes they use and indemnify the school against
any potential intellectual property infringement
claim that may arise as a result of its technologies
or business processes.
Google Apps for Education:
Indemnification
By Google. Google will indemnify, defend, and hold harmless
Customer from and against all liabilities, damages, and costs
(including settlement costs and reasonable attorneys’ fees)
arising out of a third party claim that Google’s technology
used to provide the Services or any Google Brand Feature
infringe or misappropriate any patent, copyright, trade
secret or trademark of such third party. Notwithstanding the
foregoing, in no event shall Google have any obligations or
liability under this Section arising from: (i) use of the
Services or Google Brand Features in a modified form or in
combination with materials not furnished by Google, and (ii)
any content, information or data provided by Customer, End
Users or other third parties.
Google Apps for Education:
Possible Infringement
Possible Infringement.
(a) Repair, Replace, or Modify. If Google reasonably believes the
Services infringe a third party’s Intellectual Property Rights,
then Google will: (a) obtain the right for Customer, at Google’s
expense, to continue using the Services; (b) provide a noninfringing functionally equivalent replacement; or (c) modify
the Services so that they no longer infringe.
(b) Suspension or Termination. If Google does not believe the
foregoing options are commercially reasonable, then Google
may suspend or terminate Customer’s use of the Services with
a minimum of six months written notice to Customer, unless
prohibited by a court of competent jurisdiction.
Terms of Use


Schools should attempt to require cloud service
providers to provide direct, individual notice
sufficiently in advance of the effective date of any
amendments to the provider’s terms of use, along
with the right to terminate if such amendments are
unacceptable to the school.
Suggested language: “Provider may make
commercially reasonable modifications to the
Service, provided it does not materially diminish the
nature, scope, or quality of the Service."
Google Apps for Education:
Modifications to the Services
To the Services. Google may make commercially
reasonable changes to the Services from time to
time. If Google makes a material change to the
Services, Google will inform Customer, provided
that Customer has subscribed with Google to be
informed about such material change.
Google Apps for Education:
Modifications to URL Terms
To URL Terms. Google may make commercially reasonable
changes to the URL Terms from time to time. If Google
makes a material change to the URL Terms, Google will
inform Customer by either sending an email to the
Notification Email Address or alerting Customer via the
Admin Console. If the change has a material adverse impact
on Customer and Customer does not agree to the change,
Customer must so notify Google via the Help Center within
thirty days after receiving notice of the change. If Customer
notifies Google as required, then Customer will remain
governed by the terms in effect immediately prior to the
change until the end of the then current Term. If the Services
are renewed, they will be renewed under Google's then
current URL Terms.
Export Controls



This is largely an issue for higher education
institutions involved in research
Some provider form contracts expressly reserve the
right to store customer data in any country in which
the provider does business, which can raise export
control issues.
Schools housing research data should be mindful of
this and include language in their contracts
prohibiting “extraterritorial” storage.
Google Apps for Education: Facilities
and Data Transfer
As part of providing the Services, Google may
transfer, store and process Customer Data in the
United States or any other country in which Google
or its agents maintain facilities. By using the
Services, Customer consents to this transfer,
processing and storage of Customer Data.
Service Level Agreement issues






Amount of guaranteed “uptime”
Process and timeline for dealing with “downtime”
Notice provisions (e.g. amount of notice due before
suspension of service)
Provision regarding availability of school data posttermination and provider’s obligation to destroy copies
of data once termination and transition to a new
service is complete
Circumstances under which the provider may suspend
an individual end user’s account
Consequences for failure to meet these requirements
Google Apps for Education: Contract
references separate agreement
“SLA” means the Services Level Agreement located
here:
http://www.google.com/a/help/intl/en/admins/sla
.html, or other such URL as Google may provide.
Google Apps for Education: End User
Accounts
End User Accounts. Customer may request End User
Accounts by: (i) requesting them online via the
Admin Console; or (ii) after the Services
Commencement Date, contacting Google support
personnel. Customer can suspend or delete End User
Accounts at any point in time through the Admin
Console.
Google Apps for Education: Suspension
of End User Accounts by Google
Of End User Accounts by Google. If Google becomes
aware of an End User’s violation of the Agreement,
then Google may specifically request that Customer
Suspend the applicable End User Account. If
Customer fails to comply with Google’s request to
Suspend an End User Account, then Google may do
so. The duration of any Suspension by Google will
be until the applicable End User has cured the
breach, which caused the Suspension.
Google Apps for Education: Emergency
Security Issues
Emergency Security Issues. Notwithstanding the
foregoing, if there is an Emergency Security Issue,
then Google may automatically Suspend the
offending use. Suspension will be to the minimum
extent and of the minimum duration required to
prevent or terminate the Emergency Security Issue.
If Google Suspends an End User Account for any
reason without prior notice to Customer, at
Customer’s request, Google will provide Customer
the reason for the Suspension as soon as is
reasonably possible.
Suspension/Termination of Contract



Be explicit about the reasons either party may
suspend or terminate the contract
Specify what happens to the data post-termination
Scrutinize “automatic renewal” clauses (particularly
with regard to fee increases)
Google Apps for Education:
Term; Auto Renewal
Auto Renewal. At the end of the Initial Term and each
renewal term, the Services will automatically renew
for an additional term of twelve months. If either
party does not want the Services to renew, then it
must notify the other party in writing at least 90
days prior to the end of the then current term. This
notice of non-renewal will be effective upon the
conclusion of the then-current term.
Google Apps for Education:
Termination for Breach
Termination for Breach. Either party may suspend
performance or terminate this Agreement if: (i) the
other party is in material breach of the Agreement
and fails to cure that breach within thirty days after
receipt of written notice; (ii) the other party ceases
its business operations or becomes subject to
insolvency proceedings and the proceedings are not
dismissed within ninety days; or (iii) the other party
is in material breach of this Agreement more than
two times notwithstanding any cure of such
breaches.
Google Apps for Education: Other
Termination
Other Termination. Customer may terminate this
Agreement for any reason (or no reason) with thirty
days prior written notice to Google.
Google Apps for Education: Effects of
Termination
Effects of Termination. If this Agreement terminates, then: (i) the rights
granted by one party to the other will cease immediately (except as
set forth in this Section); (ii) Google will provide Customer access to
and the ability to export the Customer Data for a commercially
reasonable period of time at Google's then-current rates for the
applicable Services; provided that if Customer needs Google to
provide access and the ability to export Customer Data for a
minimum period of time (such time period not to exceed 90 days),
then prior to termination, Customer must notify Google of that
request; (iii) after a commercially reasonable period of time,
Google will delete Customer Data by removing pointers to it on
Google’s active and replication servers and overwriting it over time;
and (iv) upon request each party will promptly use commercially
reasonable efforts to return or destroy all other Confidential
Information of the other party.
Google Apps for Education:
Term; No Fees
No Fees. During the Initial Term, Google will not charge
Customer fees for the Services. If Google decides to
charge a fee for the Services after the Initial Term it
must notify Customer of such fee in writing at least 12
months prior to the end of the then current Term. Upon
the parties’ mutual written agreement, (a) Google may
charge Customer fees for the Services after the Initial
Term and (b) Google may charge Customer fees for a
premium version of the Services or for optional
functionality or enhancements that may be added to the
Services by Google.
Accessing Data – Extraordinary
Circumstances


Schools should outline specific circumstances in which
they may need to access user information from the
provider (e.g. in cases of concern for the health or
safety of a student, to check on a student’s use of email services and possibly even the content of his or her
e-mail messages.)
Schools should review its existing practices in this area
(death of student, health or safety emergency of the
individual, health or safety emergency of the institution
or other people) and ensure the contract with the
provider provides access.
Google Apps for Education:
Customer Administration of the Services
Customer Administration of the Services. Customer may specify
one or more Administrators through the Admin Console who
will have the rights to access Admin Account(s) and to
administer the End User Accounts. Customer is responsible
for: (a) maintaining the confidentiality of the password and
Admin Account(s); (b) designating those individuals who are
authorized to access the Admin Account(s); and (c) ensuring
that all activities that occur in connection with the Admin
Account(s) comply with the Agreement. Customer agrees that
Google’s responsibilities do not extend to the internal
management or administration of the Services for Customer
and that Google is merely a data-processor.
Warranty and Indemnification
With regard to warranties, at a minimum, the contract
should:
 Warrant that the service conforms to and will
perform in accordance with its specifications
 Warrant that the service does not infringe any
third-party intellectual property rights
Warranty and Indemnification
With regard to indemnification, the contract should
address:
rd
 Indemnification by provider for infringement of 3
party intellectual property rights AND inappropriate
disclosure or data breach (ideally, the provider would
indemnify for all acts and omissions)
 Indemnification by the school should be limited in the
case of misconduct by end users.
(Note, some schools may have state law restrictions on
their ability to indemnify providers)
Choice of Law/Venue
Because some schools may have state law restrictions
on their ability to consent to these clauses, the
following approach is encouraged:
 Choose the school’s law and jurisdiction as the
governing law;
 Provide that actions must be brought in the
defendant’s jurisdiction; or
 Simply delete the Choice of Law clause entirely.
Additional Issues


Publicity (i.e. use of the school’s name, logo, or
trademark)
Responsibility for unauthorized or inappropriate use
(it is preferable to state only that the school will not
“authorize” or “knowingly allow” inappropriate use
of the provider’s service)
Negotiating Contracts



Don’t sign a provider’s form “as is”
Retain counsel to assist with contract review
Consider “pooling resources” with other schools
(See, e.g. Wisconsin Department of Public
Instruction’s approach, including negotiated contract
and consent forms)
Possible Contract Approaches




Baseline: Individual schools provide the services best suited
to the edge/leverage culture of their schools.
Commercial Sourcing (COMSo): Schools identify and shift
particular services to a commercial service provider via
contract (student mail is a leading example of this as is
iTunesU).
Institutional Sourcing (INSo): An institution (e.g. state
college or university) provides IT services to schools via
contract and fee.
Consortium Sourcing (CONSo): Schools aggregate
demand, define service levels, and governance for a service
then source the provisioning of that service to (a) commercial
providers and/or (b) institutional providers.
Conclusion
Thank you!
Little Buffalo Law & Consulting
Download