CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Transcription

1 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street Salem, New Hampshire (603)

2 WHAT IS CLOUD COMPUTING? The federal government defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Peter Nell and Timothy Grance, The National Institute of Standards and Technology Definition of Cloud Computing (NIST), Special Publication (September 2011). The NIST definition describes five essential characteristics of the cloud are: (1) on-demand self-service; (2) broad network access through mobile phones, tablets, laptops, and workstations; (3) resource pooling to serve multiple consumers; (4) rapid elasticity to meet demand; and (5) measured service. More simply, cloud computing is the use, transmission, and storage of information through applications and services offered over the Internet and hosted by third-party organizations. In cloud computing, internet-based computer resources are shared rather than using local servers or devices. Examples of cloud services are Dropbox, Yahoo, Google Docs, Google Apps Education, ClassLink, Net Trekker, and inbloom. ADVANTAGES AND DISADVANTAGES OF CLOUD COMPUTING. A school district may want to use cloud computing to reduce costs. A school district using cloud computing can reduce the costs of purchasing hardware and software to process and store information and can also reduce its IT maintenance costs. A school district can also save money by using cloud computing because it only pays for the actual storage and processing time it uses. Cloud Computing Issues For Schools, Inquiry & Analysis (September 2011), at 5. Cloud computing also allows a school district the flexibility to access information from any Internet connection and location and to process information on platforms that may not be compatible with the school district s software. Id. Cloud computing can also increase the efficiency of managing student records and increase learning opportunities. However, by using and storing its data on the cloud provider s server, the school district loses control of the data and the security measures to protect against unauthorized access to its data. The school district also permits its data to be accessed by the cloud provider. Another disadvantage is the potential loss of data or access to it if the cloud provider is off-line. DOES THE LAW PERMIT A SCHOOL DISTRICT TO USE CLOUD COMPUTING? Neither federal nor state law prohibit a school district from using cloud computing. A school district can use cloud computing to transmit and store education data including student records. However, the use of cloud computing does not negate the school district s obligations to protect the confidentiality of information. The United States Department of Education noted in its comments to the 2011 amendments to the Family Educational Rights and Privacy Act (FERPA) regulations: 1

3 The Department has not yet issued any official guidance on cloud computing, as this is an emerging field. We note, however, that the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII [personally identifiable information] from education records, regardless of where the data are hosted. Family Educational Rights and Privacy, 76 Federal Register 75604, (2011). The United States Department of Education has stated that a school district that uses cloud computing to outsource its information technology services must comply with the FERPA requirements for disclosure of personally identifiable information to third party contractors in 34 CFR 99.31(a)(1)(i) of the FERPA regulations. 34 CFR 99.31(a)(1)(i) establishes three requirements for outsourcing technology services: 1. The outside party must perform an institutional service or function for which the school district would otherwise use employees; 2. The outside party must be under the school district s control with respect to the use and maintenance of education records; and 3. The outside party is subject to the requirements of 34 CFR 99.33(a) governing the use and redisclosure of personally identifiable information. The direct control requirement as it applies to outsourcing technology services requires: Schools outsourcing information technology services, such as web-based and e- mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information. Family Educational Rights and Privacy, 73 Federal Register 74806, (2008). FERPA does not explicitly require that education data be stored within the United States. Privacy Technical Assistance Center, Frequently Asked Questions, Cloud Computing, (2012) at 5. However, the best practice is to store the information in the United States. Otherwise, the school district will not be able to comply with the direct control requirement because it may not be able to hold the foreign cloud provider legally accountable for protecting the confidentiality of personally identifiable information from education records. Id., pp. 5 and 6. A school district that outsources its information technology services should amend its FERPA policy to include outsourcing technology service providers as school officials. 2

4 FACTORS A SCHOOL DISTRICT SHOULD CONSIDER IN DECIDING TO USE CLOUD COMPUTING. Before deciding to use cloud computing, the United States Department of Education suggests that a school district answer certain questions about the security, privacy, legal, and compliance issues of using cloud computing. 1 Those questions are: 1. Does the cloud solution offer equal or greater data security capabilities than those provided by the school district s data center? 2. Has the school district taken into account the vulnerabilities of the cloud solution? 3. Has the school district considered that incident detection and response can be more complicated in a cloud-based environment? 4. Has the school district considered metrics collection, and system performance and security monitoring are more difficult in the cloud? 5. How will the school district exercise control over the data within the cloud to ensure that the data are available and that confidentiality and integrity of the data remain protected? 6. Are there appropriate access and use controls in place to provide proper level of accountability? 7. Are there any concerns regarding screening and monitoring of contractor staff and their activities? 8. Has the school district evaluated potential legal concerns associated with outsourcing data management to a cloud provider? For example, the school district must have a way to get the data back in a secure and timely manner in case a cloud provider goes out of business. 9. Has the school district considered what measures it will need to implement to ensure that the cloud provider complies with all applicable federal, state, and local privacy laws, including FERPA? For example, has the school district made sure that storing data on the cloud does not interfere with its ability to provide parents 1 The United States Department of Education has established a Privacy Technical Assistance Center (PTAC) as a resource for school districts. PTAC information can be accessed at The questions are derived from PTAC Frequently Asked Questions -- Cloud Computing (June 2012). 3

5 and eligible students with access to their education records should they choose to exercise their FERPA right to inspect and review them? The school district will also need to comply with the requirements of the Children s Online Privacy Protection Act (COPPA) (15 U.S.C ); the Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. 1232h); the Children s Internet Protection ACT (CIPA) (47 U.S.C. 254); and the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 300gg; 29 U.S.C et seq., 42 U.S.C. 1320d et seq.). COPPA is a federal law that requires that websites obtain parental consent before collecting personal information from children under 13 years of age who use or visit the site. PPRA requires written parental consent before minor students are required to participate in certain surveys, analyses, or evaluations which seek to collect personal information from students. CIPA requires school districts to use filters to block access to obscene information, child pornography, or other information harmful to minors. HIPAA requires covered entities to protect the use and disclosure of protected health information. 10. Has the school district evaluated its existing protections to establish a baseline level of protection with which to evaluate potential benefits and risks associated with moving to a cloud-based alternative? 11. Will the school district s insurer or risk pool provide coverage to protect the school district against risks posed by cloud computing? SELECTING A CLOUD COMPUTING PROVIDER 2 A school district must take reasonable steps to ensure the security of its information and data in the cloud. The United States Department of Education recognizes that no system for maintaining and transmitting education records, whether in paper or electronic form can be guaranteed safe from every hacker and thief, technological failure, violation of administrative rules, and other causes of unauthorized access and disclosure.... The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable. 73 Federal Register at Most of the questions are from the New Hampshire Bar Association s Ethics Committee Advisory Opinion # /4 The Use Of Cloud Computing In The Practice Of Law And Creating Effective Cloud Computing Contracts For The Federal Government, Best Practices For Acquiring IT As A Service (February 24, 2012). 4

6 Simply selecting a provider without knowing anything about the provider s location data storage practices, and security measures does not fulfill the school district s responsibilities. Reasonable steps require that the school district pose certain questions to the potential cloud provider. The questions that the school district should ask the provider in writing are: 1. Is the provider a reputable organization? How long has the provider been in business? What are its history, financial resources, and strategy? Does the provider have experience in dealing with regulated information? 2. Where are the provider s servers located and what are the privacy laws in effect at that location regarding unauthorized access, retrieval, and destruction of compromised data? If the servers are located in a foreign country, do the privacy laws of that country reasonably mirror those of the United States? If the servers are relocated, will the provider notify the school district in advance? Can the provider certify where the data is located at any one point in time? 3. Does the provider offer robust security measures such as, at a minimum, password protections or other verification procedures limiting access to the data; safeguards such as data back-up and restoration, a firewall, or encryption; periodic audits by third parties of the provider s security; and notification procedures in case of a breach? 4. Who has access to the school district s data, both in its live and backup state? 5. Is the data stored in a format that renders it retrievable as well as secure? Is it stored in a proprietary format and is it promptly and reasonably retrievable by the school district to respond to Right-To-Know Law requests, litigation needs, or parental requests for education records? Is metadata preserved? 6. Does the provider allow the school district to destroy all copies or renditions of records from the cloud when appropriate? 7. Does the provider allow the school district to implement record retention policies and schedules across categories of records and to retain the integrity of the files for the duration of the school district s records retention schedule? 8. Does the provider commingle data belonging to different clients such that retrieval may result in inadvertent disclosure? Does the provider segregate data for each client? 9. Does the provider own the data stored in the cloud? 5

7 10. Does the provider have an enforceable obligation to keep the data confidential? 11. Does the provider subcontract with excess capacity providers? 12. What will happen to the data when the agreement between the school district and provider is terminated? 13. Will data be destroyed or compromised in case of nonpayment? Will any or all of the data be retained by the provider, and if so, where and for how long? 14. Do the terms of service obligate the provider to warn the school district if information is being subpoenaed by a third party, where the law permits such notice? 15. What is the provider s disaster recovery plan with respect to stored data? Is a copy of the digital data stored on-site? 16. Does the provider mine or allow third parties to mine the school district s data? 17. How can the school district access the data if there is an Internet access failure? CONTINUING OBLIGATIONS EVEN AFTER SELECTING A CLOUD PROVIDER The school district s obligation to protect the security of information and data in the cloud does not cease when a cloud provider is selected. The school district must periodically review the performance of its cloud provider and its security systems, location, and practices. The school district should review its cloud provider and its services to determine whether it is keeping current with changes in technology and the law. 6