CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013



Similar documents
2015 NMSBA SCHOOL LAW CONFERENCE

HIPAA BUSINESS ASSOCIATE AGREEMENT

Overview of the HIPAA Security Rule

Acceptable Use Policy

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]

BUSINESS ASSOCIATE AGREEMENT ( BAA )

STATE OF NEW JERSEY Security Controls Assessment Checklist

plantemoran.com What School Personnel Administrators Need to know

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Ethical Considerations for Lawyers Using the Cloud

Privacy and Data Security Update for Defense Contractors

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Policy Student Data Protection and Privacy/Cloud-based Issues

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Model Business Associate Agreement

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

FirstCarolinaCare Insurance Company Business Associate Agreement

Health Partners HIPAA Business Associate Agreement

Montclair State University. HIPAA Security Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Page 1 of 15. VISC Third Party Guideline

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE AGREEMENT

Standard: Information Security Incident Management

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Network and Security Controls

HIPAA BUSINESS ASSOCIATE AGREEMENT

Data Processing Agreement for Oracle Cloud Services

SaaS. Business Associate Agreement

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

HIPAA and Mental Health Privacy:

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

My Docs Online HIPAA Compliance

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

[SUBPART CLOUD COMPUTING (DEVIATION 2015-O0011) Prescribes policies and procedures for the acquisition of cloud computing services.

Cloud Computing. What is Cloud Computing?

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS

Kaiser Permanente Affiliate Link Provider Web Site Application

Online Lead Generation: Data Security Best Practices

BUSINESS ASSOCIATE ADDENDUM

Data Management Policies. Sage ERP Online

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

This form may not be modified without prior approval from the Department of Justice.

1/23/2015. MSBO Technology Committee January 22, Examples of Online Educational Services

HIPAA Privacy & Security White Paper

Service Description: Dell Backup and Recovery Cloud Storage

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Office of the Chief Information Officer

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

K-20 Network Acceptable Use Guidelines/Internet Safety Requirements

Information Security Program Management Standard

Business Associate Agreement

Litigating in the Cloud - Security Issues for the Trial Practice

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Information Technology: This Year s Hot Issue - Cloud Computing

In order to adjudicate an appeal, OPM requires claimants or their authorized representatives to submit the following information:

BUSINESS ASSOCIATE AGREEMENT

PTAC Toolkit for LEAs: Staff Policies and Teacher Access March 24, 2014

Report on Student Data Security in Online Assessment OHIO DEPARTMENT OF EDUCATION DECEMBER 2014

Top Ten Technology Risks Facing Colleges and Universities

DATA SECURITY AGREEMENT. Addendum # to Contract #

Privacy and Cloud Computing for Australian Government Agencies

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

BUSINESS ASSOCIATE AGREEMENT

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

Can Your Diocese Afford to Fail a HIPAA Audit?

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

BUSINESS ASSOCIATE AGREEMENT

John Essner, CISO Office of Information Technology State of New Jersey

TECHNOLOGY RESPONSIBLE USE Policy Code: 3225/4312/7320

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Healthcare Compliance Solutions

Privacy Law Basics and Best Practices

Business Associate and Data Use Agreement

Information Security Policy

HIPAA Security Alert

1. The records have been created, sent or received in connection with the compilation.

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy, the Cloud and Data Breaches

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

CHIS, Inc. Privacy General Guidelines

White Paper on Financial Institution Vendor Management

(Internet) for students, staff and, if requested, members of the Board of Education. All computer

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

Transcription:

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street Salem, New Hampshire 03079 (603) 898-9776 gorrow@soulefirm.com

WHAT IS CLOUD COMPUTING? The federal government defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Peter Nell and Timothy Grance, The National Institute of Standards and Technology Definition of Cloud Computing (NIST), Special Publication 800-145 (September 2011). The NIST definition describes five essential characteristics of the cloud are: (1) on-demand self-service; (2) broad network access through mobile phones, tablets, laptops, and workstations; (3) resource pooling to serve multiple consumers; (4) rapid elasticity to meet demand; and (5) measured service. More simply, cloud computing is the use, transmission, and storage of information through applications and services offered over the Internet and hosted by third-party organizations. In cloud computing, internet-based computer resources are shared rather than using local servers or devices. Examples of cloud services are Dropbox, Yahoo, Google Docs, Google Apps Education, ClassLink, Net Trekker, and inbloom. ADVANTAGES AND DISADVANTAGES OF CLOUD COMPUTING. A school district may want to use cloud computing to reduce costs. A school district using cloud computing can reduce the costs of purchasing hardware and software to process and store information and can also reduce its IT maintenance costs. A school district can also save money by using cloud computing because it only pays for the actual storage and processing time it uses. Cloud Computing Issues For Schools, Inquiry & Analysis (September 2011), at 5. Cloud computing also allows a school district the flexibility to access information from any Internet connection and location and to process information on platforms that may not be compatible with the school district s software. Id. Cloud computing can also increase the efficiency of managing student records and increase learning opportunities. However, by using and storing its data on the cloud provider s server, the school district loses control of the data and the security measures to protect against unauthorized access to its data. The school district also permits its data to be accessed by the cloud provider. Another disadvantage is the potential loss of data or access to it if the cloud provider is off-line. DOES THE LAW PERMIT A SCHOOL DISTRICT TO USE CLOUD COMPUTING? Neither federal nor state law prohibit a school district from using cloud computing. A school district can use cloud computing to transmit and store education data including student records. However, the use of cloud computing does not negate the school district s obligations to protect the confidentiality of information. The United States Department of Education noted in its comments to the 2011 amendments to the Family Educational Rights and Privacy Act (FERPA) regulations: 1

The Department has not yet issued any official guidance on cloud computing, as this is an emerging field. We note, however, that the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII [personally identifiable information] from education records, regardless of where the data are hosted. Family Educational Rights and Privacy, 76 Federal Register 75604, 75612 (2011). The United States Department of Education has stated that a school district that uses cloud computing to outsource its information technology services must comply with the FERPA requirements for disclosure of personally identifiable information to third party contractors in 34 CFR 99.31(a)(1)(i) of the FERPA regulations. 34 CFR 99.31(a)(1)(i) establishes three requirements for outsourcing technology services: 1. The outside party must perform an institutional service or function for which the school district would otherwise use employees; 2. The outside party must be under the school district s control with respect to the use and maintenance of education records; and 3. The outside party is subject to the requirements of 34 CFR 99.33(a) governing the use and redisclosure of personally identifiable information. The direct control requirement as it applies to outsourcing technology services requires: Schools outsourcing information technology services, such as web-based and e- mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information. Family Educational Rights and Privacy, 73 Federal Register 74806, 74816 (2008). FERPA does not explicitly require that education data be stored within the United States. Privacy Technical Assistance Center, Frequently Asked Questions, Cloud Computing, (2012) at 5. However, the best practice is to store the information in the United States. Otherwise, the school district will not be able to comply with the direct control requirement because it may not be able to hold the foreign cloud provider legally accountable for protecting the confidentiality of personally identifiable information from education records. Id., pp. 5 and 6. A school district that outsources its information technology services should amend its FERPA policy to include outsourcing technology service providers as school officials. 2

FACTORS A SCHOOL DISTRICT SHOULD CONSIDER IN DECIDING TO USE CLOUD COMPUTING. Before deciding to use cloud computing, the United States Department of Education suggests that a school district answer certain questions about the security, privacy, legal, and compliance issues of using cloud computing. 1 Those questions are: 1. Does the cloud solution offer equal or greater data security capabilities than those provided by the school district s data center? 2. Has the school district taken into account the vulnerabilities of the cloud solution? 3. Has the school district considered that incident detection and response can be more complicated in a cloud-based environment? 4. Has the school district considered metrics collection, and system performance and security monitoring are more difficult in the cloud? 5. How will the school district exercise control over the data within the cloud to ensure that the data are available and that confidentiality and integrity of the data remain protected? 6. Are there appropriate access and use controls in place to provide proper level of accountability? 7. Are there any concerns regarding screening and monitoring of contractor staff and their activities? 8. Has the school district evaluated potential legal concerns associated with outsourcing data management to a cloud provider? For example, the school district must have a way to get the data back in a secure and timely manner in case a cloud provider goes out of business. 9. Has the school district considered what measures it will need to implement to ensure that the cloud provider complies with all applicable federal, state, and local privacy laws, including FERPA? For example, has the school district made sure that storing data on the cloud does not interfere with its ability to provide parents 1 The United States Department of Education has established a Privacy Technical Assistance Center (PTAC) as a resource for school districts. PTAC information can be accessed at www.ed.gov/ptac. The questions are derived from PTAC Frequently Asked Questions -- Cloud Computing (June 2012). 3

and eligible students with access to their education records should they choose to exercise their FERPA right to inspect and review them? The school district will also need to comply with the requirements of the Children s Online Privacy Protection Act (COPPA) (15 U.S.C. 6501-6506); the Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. 1232h); the Children s Internet Protection ACT (CIPA) (47 U.S.C. 254); and the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 300gg; 29 U.S.C. 1881 et seq., 42 U.S.C. 1320d et seq.). COPPA is a federal law that requires that websites obtain parental consent before collecting personal information from children under 13 years of age who use or visit the site. PPRA requires written parental consent before minor students are required to participate in certain surveys, analyses, or evaluations which seek to collect personal information from students. CIPA requires school districts to use filters to block access to obscene information, child pornography, or other information harmful to minors. HIPAA requires covered entities to protect the use and disclosure of protected health information. 10. Has the school district evaluated its existing protections to establish a baseline level of protection with which to evaluate potential benefits and risks associated with moving to a cloud-based alternative? 11. Will the school district s insurer or risk pool provide coverage to protect the school district against risks posed by cloud computing? SELECTING A CLOUD COMPUTING PROVIDER 2 A school district must take reasonable steps to ensure the security of its information and data in the cloud. The United States Department of Education recognizes that no system for maintaining and transmitting education records, whether in paper or electronic form can be guaranteed safe from every hacker and thief, technological failure, violation of administrative rules, and other causes of unauthorized access and disclosure.... The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable. 73 Federal Register at 7844. 2 Most of the questions are from the New Hampshire Bar Association s Ethics Committee Advisory Opinion #2012-13/4 The Use Of Cloud Computing In The Practice Of Law And Creating Effective Cloud Computing Contracts For The Federal Government, Best Practices For Acquiring IT As A Service (February 24, 2012). 4

Simply selecting a provider without knowing anything about the provider s location data storage practices, and security measures does not fulfill the school district s responsibilities. Reasonable steps require that the school district pose certain questions to the potential cloud provider. The questions that the school district should ask the provider in writing are: 1. Is the provider a reputable organization? How long has the provider been in business? What are its history, financial resources, and strategy? Does the provider have experience in dealing with regulated information? 2. Where are the provider s servers located and what are the privacy laws in effect at that location regarding unauthorized access, retrieval, and destruction of compromised data? If the servers are located in a foreign country, do the privacy laws of that country reasonably mirror those of the United States? If the servers are relocated, will the provider notify the school district in advance? Can the provider certify where the data is located at any one point in time? 3. Does the provider offer robust security measures such as, at a minimum, password protections or other verification procedures limiting access to the data; safeguards such as data back-up and restoration, a firewall, or encryption; periodic audits by third parties of the provider s security; and notification procedures in case of a breach? 4. Who has access to the school district s data, both in its live and backup state? 5. Is the data stored in a format that renders it retrievable as well as secure? Is it stored in a proprietary format and is it promptly and reasonably retrievable by the school district to respond to Right-To-Know Law requests, litigation needs, or parental requests for education records? Is metadata preserved? 6. Does the provider allow the school district to destroy all copies or renditions of records from the cloud when appropriate? 7. Does the provider allow the school district to implement record retention policies and schedules across categories of records and to retain the integrity of the files for the duration of the school district s records retention schedule? 8. Does the provider commingle data belonging to different clients such that retrieval may result in inadvertent disclosure? Does the provider segregate data for each client? 9. Does the provider own the data stored in the cloud? 5

10. Does the provider have an enforceable obligation to keep the data confidential? 11. Does the provider subcontract with excess capacity providers? 12. What will happen to the data when the agreement between the school district and provider is terminated? 13. Will data be destroyed or compromised in case of nonpayment? Will any or all of the data be retained by the provider, and if so, where and for how long? 14. Do the terms of service obligate the provider to warn the school district if information is being subpoenaed by a third party, where the law permits such notice? 15. What is the provider s disaster recovery plan with respect to stored data? Is a copy of the digital data stored on-site? 16. Does the provider mine or allow third parties to mine the school district s data? 17. How can the school district access the data if there is an Internet access failure? CONTINUING OBLIGATIONS EVEN AFTER SELECTING A CLOUD PROVIDER The school district s obligation to protect the security of information and data in the cloud does not cease when a cloud provider is selected. The school district must periodically review the performance of its cloud provider and its security systems, location, and practices. The school district should review its cloud provider and its services to determine whether it is keeping current with changes in technology and the law. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information